Apple patches 20 security holes

Apple patches 20 security holes

Summary: Apple computer on Wednesday 3/2/2006 patched 20 security holes ranging from denial-of-service to very serious code execution flaws.  Apple's security update 2006-001 fixes the following issues in OS X 10.

SHARE:
TOPICS: Security
90

Apple computer on Wednesday 3/2/2006 patched 20 security holes ranging from denial-of-service to very serious code execution flaws.  Apple's security update 2006-001 fixes the following issues in OS X 10.3.9 to 10.4.5:

  • Multiple PHP 4.4 issues in apache_mod_php.
  • OS X File server DoS or arbitrary code execution with automount.
  • Directory traversal issue in BOM, a framework that handles certain archive files.
  • Directory services issue where local users can modify files as root.
  • FileVault issue that allows files to be accessed when FileVault images are created.
  • IPSec denial of service flaw.
  • Arbitrary code execution flaw in LibSystem.  (OS 10.4.5 only)
  • Mail fails to validate certain disguised files which are unsafe.  (OS 10.4.5 only)
  • Perl continues to run as root even when privileges are suppose to drop.    (OS 10.3.9 only)
  • Rsync flaw that can lead to a crash or arbitrary code execution.  (OS 10.4.5 only)
  • Three serious arbitrary code execution flaws in Safari.
  • Safari can access local files that shouldn't be accessible.
  • Safari and LaunchServices can launch arbitrary code when viewing malicious websites.  This fix patches the critical zero-day exploit released last month.
  • RSS syndication flaw that may lead to cross-site scripting.  (OS 10.4.5 only)

Apple's update also included two enhancements that tighten security.  The first is an improvement in FileVault that gives it more restrictive OS privileges.  The second adds additional warnings to iChat to warn users about unsafe files like the Leap.A worm.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

90 comments
Log in or register to join the discussion
  • So here's the quiz

    How many of those are OS flaws?
    Robert Crocker
    • RE: So here's the quiz

      I'm not sure he can tell the difference (or wants to) - this seems to be the deliberate case for most MS trollsters. If he can, then he doesn't really care about spreading mis-information - he just wants a troll-fest.
      barsteward
    • You tell me

      So when Microsoft releases a patch for Macromedia flash because they bundled it with a really old version of IE, Secunia counts that against Microsoft as well. If it comes bundled with the OS, then Microsoft ultimately takes responsibility for it. Maybe you should too.
      george_ou
    • wrong question!

      It looked to me like most of the flaws listed came with the OS
      bundle and so should be considered OS flaws. Even if they are flaws
      in Safari-only code or in (not Apple) Apache.

      Better question ... how many CVE issues were negated by these 20
      patches? It looked to me like a few of the patches addressed more
      than one potential exploit.
      dlmeyer@...
  • Relevance??

    George,

    What's the relevance??? will you also start posting about all the other OS's when they've got an update??????

    Next week is Patch tuesday, I would expect an anouncement as well!!!!
    tombalablomba
    • Where have you been

      I've been posting on flaws with Cisco, Microsoft, Mozilla, Apple, and security in general. Listening to you makes me wonder where you've been all this time.

      As for patch tuesday, there will be a post if it's news worthy like the WMF issues.
      george_ou
      • I still fail to see any relevance

        in just posting a list, with updates. It's as boring to read as any listing full of software updates whether they are MS, Cisco, Mozilla or Apples. Maybe i just miss the extra information which makes such a list interesting :).

        As I've learned with these lists, it's not all that meets the eye.

        Below was interesting because it provided some extra information concerning a security update :)

        http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf
        tombalablomba
  • Interesting read for you George

    George,

    Interesting read for you of todays black hat conference overhere in Amsterdam. I already like the title of the presentation ;)

    Skeletons in Microsoft's Closet - Silently Fixed Vulnerabilities

    http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf

    Though they used MS, they also remark that more vendors might be doing (i'm sure they will ;) ).

    So lets stop the nonsense of counting as we never know for sure what has been fixed with an update (unless you want to make the effort these guys did.
    tombalablomba
  • Talkback

    Talkbacks are great.

    It's an all-purpose equal opportunity forum for venting, complimenting, cajoling, politeness, ire, disdain, approval, disapproval all wrapped up into one nice tidy blog! ;)

    Thanks George. What's the next topic? :)
    D T Schmitz
    • Reading Dietrich is fun

      :)
      tombalablomba
      • reading 'riting 'rithmetic

        reading is FUNdaMENTAL!
        Thanks TomB for lighting up this place! :)
        D T Schmitz
        • No No

          Thank you because reading about security updates is rather boring. Especially when it is about an OS that you haven't got ;).

          Though i look forward reading the next bulletin about flaws found in the commodore Amiga, as i still have one on my attick and it still rocks!!!!!!

          I would be even more delighted if he would have one about VIC20 or the sinclair. I still miss the old peek and poke commands and actually typing the line numbers myself ;)
          tombalablomba
        • MAC fan

          Does this imply that you frequently visit MacDonalds?
          tombalablomba
          • You may infer

            Hold the pickles. Hold the lettuce. Please. ;)
            D T Schmitz
    • re : Talkback

      Its a bit of an insult to blogs to call this a blog, should be called "Trolls"
      barsteward
  • OK OK

    You've convinced me - I'm selling my Mac and buying another Windows machine.

    Just one thing, can you confirm that php, perl and apache are problems for me, running as a typical home owner?
    JulesLt
  • George, how DARE you!!!

    You anti-Mac zealot, how dare you post a factual article about what was fixed in the latest release! How dare you use flawed numbers from Secu... oh, wait, this info is from Apple? Well, um, how [b]DARE[/b] you use flawed numbers from Appl... oh, wait, Apple is perfect. Nothing coming from Apple could be flawed. Um... ah... BRAIN EXPLODING!!!

    Ahhh, I think this blog shows the true nature of the Mac zealot: give them yet another factual blog and they go nuts defending Apple for something [b]that wasn't even an attack[/b]! Eh, I kind of feel sorry for them. :(
    NonZealot
    • Bit of a strawman NZ

      ---Ahhh, I think this blog shows the true nature of the Mac
      zealot: give them yet another factual blog and they go nuts
      defending Apple for something that wasn't even an attack! ---

      Really? George is being attacked for posting this information by
      lots and lots of zealots? If anything, I see people using this
      information to question George further about his arbitrary and
      meaningless study he posted elsewhere, which has been a topic
      of debate not strictly limited to "mac-zealots", as lots of our
      local Linux folks have chimed in on his methodology.

      But, if it makes you feel better to make up an imaginary enemy,
      and an imaginary set of attacks, and then to publicly declare that
      you're so much more mature and smarter than the imaginary
      attackers, well, good for you I guess.

      ---Eh, I kind of feel sorry for them.---

      "Sorry" is not the word I'd use to describe your reaction.
      "Insecure" might be better.
      tic swayback
    • We know...

      that OSX has patchable/patched vulnerabilities. Hopefully, Apple
      will continue to supply timely updates to plug the holes. Now,
      exactly how many OSX systems over the past 5 years needed to
      be nuked/repaved due to malware/spyware crappola? You know
      that thousands of Win boxen have experienced that 'remedy.'
      Geez, just check with your local Best Buy or CompUSA or local
      PC shop with their advert in the window indicating that they
      specialize in cleaning up Windows PCs. Where the rubber meets
      the road, it appears that OSX will continue to be the better path,
      even though we know it's imperfect.
      Brich
    • I Hope

      This doesn't mean that we have to read through every update on every thinkable OS when they've had a security update.

      I like reading george's blog, because i sometimes need some distraction, but reading security bulletins, how large are not my kind of a thing ;)
      tombalablomba