Apple patches 20 security holes
Summary: Apple computer on Wednesday 3/2/2006 patched 20 security holes ranging from denial-of-service to very serious code execution flaws. Apple's security update 2006-001 fixes the following issues in OS X 10.
Apple computer on Wednesday 3/2/2006 patched 20 security holes ranging from denial-of-service to very serious code execution flaws. Apple's security update 2006-001 fixes the following issues in OS X 10.3.9 to 10.4.5:
- Multiple PHP 4.4 issues in apache_mod_php.
- OS X File server DoS or arbitrary code execution with automount.
- Directory traversal issue in BOM, a framework that handles certain archive files.
- Directory services issue where local users can modify files as root.
- FileVault issue that allows files to be accessed when FileVault images are created.
- IPSec denial of service flaw.
- Arbitrary code execution flaw in LibSystem. (OS 10.4.5 only)
- Mail fails to validate certain disguised files which are unsafe. (OS 10.4.5 only)
- Perl continues to run as root even when privileges are suppose to drop. (OS 10.3.9 only)
- Rsync flaw that can lead to a crash or arbitrary code execution. (OS 10.4.5 only)
- Three serious arbitrary code execution flaws in Safari.
- Safari can access local files that shouldn't be accessible.
- Safari and LaunchServices can launch arbitrary code when viewing malicious websites. This fix patches the critical zero-day exploit released last month.
- RSS syndication flaw that may lead to cross-site scripting. (OS 10.4.5 only)
Apple's update also included two enhancements that tighten security. The first is an improvement in FileVault that gives it more restrictive OS privileges. The second adds additional warnings to iChat to warn users about unsafe files like the Leap.A worm.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
So here's the quiz
RE: So here's the quiz
You tell me
wrong question!
bundle and so should be considered OS flaws. Even if they are flaws
in Safari-only code or in (not Apple) Apache.
Better question ... how many CVE issues were negated by these 20
patches? It looked to me like a few of the patches addressed more
than one potential exploit.
Relevance??
What's the relevance??? will you also start posting about all the other OS's when they've got an update??????
Next week is Patch tuesday, I would expect an anouncement as well!!!!
Where have you been
As for patch tuesday, there will be a post if it's news worthy like the WMF issues.
I still fail to see any relevance
As I've learned with these lists, it's not all that meets the eye.
Below was interesting because it provided some extra information concerning a security update :)
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf
Interesting read for you George
Interesting read for you of todays black hat conference overhere in Amsterdam. I already like the title of the presentation ;)
Skeletons in Microsoft's Closet - Silently Fixed Vulnerabilities
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf
Though they used MS, they also remark that more vendors might be doing (i'm sure they will ;) ).
So lets stop the nonsense of counting as we never know for sure what has been fixed with an update (unless you want to make the effort these guys did.
Talkback
It's an all-purpose equal opportunity forum for venting, complimenting, cajoling, politeness, ire, disdain, approval, disapproval all wrapped up into one nice tidy blog! ;)
Thanks George. What's the next topic? :)
Reading Dietrich is fun
reading 'riting 'rithmetic
Thanks TomB for lighting up this place! :)
No No
Though i look forward reading the next bulletin about flaws found in the commodore Amiga, as i still have one on my attick and it still rocks!!!!!!
I would be even more delighted if he would have one about VIC20 or the sinclair. I still miss the old peek and poke commands and actually typing the line numbers myself ;)
MAC fan
You may infer
re : Talkback
OK OK
Just one thing, can you confirm that php, perl and apache are problems for me, running as a typical home owner?
George, how DARE you!!!
Ahhh, I think this blog shows the true nature of the Mac zealot: give them yet another factual blog and they go nuts defending Apple for something [b]that wasn't even an attack[/b]! Eh, I kind of feel sorry for them. :(
Bit of a strawman NZ
zealot: give them yet another factual blog and they go nuts
defending Apple for something that wasn't even an attack! ---
Really? George is being attacked for posting this information by
lots and lots of zealots? If anything, I see people using this
information to question George further about his arbitrary and
meaningless study he posted elsewhere, which has been a topic
of debate not strictly limited to "mac-zealots", as lots of our
local Linux folks have chimed in on his methodology.
But, if it makes you feel better to make up an imaginary enemy,
and an imaginary set of attacks, and then to publicly declare that
you're so much more mature and smarter than the imaginary
attackers, well, good for you I guess.
---Eh, I kind of feel sorry for them.---
"Sorry" is not the word I'd use to describe your reaction.
"Insecure" might be better.
We know...
will continue to supply timely updates to plug the holes. Now,
exactly how many OSX systems over the past 5 years needed to
be nuked/repaved due to malware/spyware crappola? You know
that thousands of Win boxen have experienced that 'remedy.'
Geez, just check with your local Best Buy or CompUSA or local
PC shop with their advert in the window indicating that they
specialize in cleaning up Windows PCs. Where the rubber meets
the road, it appears that OSX will continue to be the better path,
even though we know it's imperfect.
I Hope
I like reading george's blog, because i sometimes need some distraction, but reading security bulletins, how large are not my kind of a thing ;)