Someone get me rewrite: Apple delivers monster security update for OS X

Someone get me rewrite: Apple delivers monster security update for OS X

Summary: Apple delivered a security update for Tiger and Leopard Tuesday with at least 80 patches addressing multiple vulnerabilities.You know it's a big patch haul from Apple when you read the advisory and:You're not sure where to begin;You're IMing fellow security folks (Ryan Naraine) to count CVE numbers for some clue of how many patches are included.

SHARE:

Apple delivered a security update for Tiger and Leopard Tuesday with at least 80 patches addressing multiple vulnerabilities.

You know it's a big patch haul from Apple when you read the advisory and:

  • You're not sure where to begin;
  • You're IMing fellow security folks (Ryan Naraine) to count CVE numbers for some clue of how many patches are included.

Depending on who was counting I've come up with about 85 CVE numbers, but there are some duplicates in there. Extract those and you still get a tally of roughly 80. The OS X update follows a Safari security update. Looks like Apple is updating its product line today.

Among the highlights:

  • ClamAV (CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728): This fix addresses multiple vulnerabilities in Mac OS X Server v10.5.2. Apple says: "Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution."
  • CUPS (CVE-2008-0047, CVE-2008-0053, CVE-2008-0882): Apple updated Mac OS X v10.5.2, Mac OS X Server v10.5.2 for "multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges."
  • Emacs (CVE-2007-5795): This update for Mac OS X v10.5.2 and Mac OS X Server v10.5.2 addresses a vulnerability that allows safe mode checks in Emacs to be bypassed.
  • OpenSSH (CVE-2007-4752): The update for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2 addresses a flaw in OpenSSH that allows a remote attacker "to execute arbitrary code with elevated privileges."
  • Printing (CVE-2008-0996): Apple updated Mac OS X v10.5.2 and Mac OS X Server v10.5.2 to thwart a print queue issue. Apple says: "An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5."
  • System Configuration (CVE-2008-0998): The update covers Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The problem: "The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects."

Topics: Operating Systems, Apple, Hardware, Security, Servers, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

145 comments
Log in or register to join the discussion
  • " *gasp* I thought Macs were secure and superior and invulnerable!"

    --any Mac user, blind fool, or someone who needs to get laid more than I.
    HypnoToad
    • Macs are superior

      But anybody who believes that any system, or anything, is 100% secure and invulnerable is living in another universe.

      Or perhaps he is just a hypnotized toad.
      jorjitop
      • of course Mac are superior

        The price is one point that all Apple product have in common: Superior High Price and The Superiority Complex of it's users.

        The reality is the more peoples use a product the more flaws will be discovered. give it 3 to 5 years and the many Mac OS "superior" flaws will compete in number to the windows platform.
        Mectron
        • LOL!

          [i]The Superiority Complex of it's users[/i]
          GuidingLight
        • so is the company

          at least they are fixing the problems when they are discovered instead of trying to hide them until the public panics or they are exploited...
          fde101
          • because...

            Because microsoft must test the patch and check if the patch will not cause more trouble, specially in the corporate level. And even with caution a patch can cause troubles with third party software.

            Apple didn't present this problem cause the number of third parties software is pretty limited and the lack of corporate users will help to send patches and fixes on any schedule.

            Linux will solve this trouble with :
            -bloating the os "ADDING" a new version of a library/component (skipping to delete the old one)
            -changing (and in some cases breaking) the functionality of third party software, this cause massive updates of the system.
            magallanes
          • LOL

            "Linux will solve this trouble with :
            -bloating the os "ADDING" a new version of a library/component (skipping to delete the old one)
            -changing (and in some cases breaking) the functionality of third party software, this cause massive updates of the system."

            That's hilarious. Have you actually used Linux, or is this second hand FUD?
            hasta la Vista, bah-bie
          • Not second-hand fud...

            It's hilarious because it's true but they forgot one other point:

            -Publish a kernel update that may or may not hose my system and/or cause me to recompile software, etc.
            jmiller1978
          • Never happened to me

            Not in the two years I've used it.

            But then I only update what's absolutely necessary, leaving my home directory intact.
            hasta la Vista, bah-bie
          • fixing the problems when they are discovered

            [i]fixing the problems when they are discovered[/i]

            ever heard of UpdateTuesday...????

            Apple is the most secretive, closed system there is between the 3 major OS's, if anyone hides something its them...

            funny last week when I installed WinXP SP2 I got nailed for 91 updates...Apple is not far behind now, lol
            rkostynu@...
          • No, they're doing it to avoid a class action lawsuit...

            ~
            hasta la Vista, bah-bie
        • Let me get this straight.....

          Did you just say that the Windows platform has currently
          MORE known flaws than the Mac? It seems you did.

          I don't mind a good insult especially when it is delivered in
          an amusing fashion but this while amusing I don't think you
          meant:)

          Pagan jim
          James Quinn
          • I don't think he was trying to defend MS

            What he actually said was that since most people use MS there is a greater chance that whatever flaws there are will be discovered. These flaws will also affect a lot more people, so it will be bigger news.

            So be proud that Shepherd Jobs's troops found these flaws in your Mac. It just means more people are using your platform.
            tikigawd
          • I wonder.....

            Do we know for a fact that these flaws were not found by
            Apple itself?

            I am happy that there are more Mac and OSX users out
            there and it's growing that is good. However I don't know
            for a fact that any Mac "USER" has reported anything
            beyond bugs and not so much security issues. One is easy
            for a user too detect the other not so much. Still
            regardless of where the detection comes from I'm glad for
            it that is for sure.

            And yes Apple does have some FANTASTIC shock troops.
            Special Forces bah nothing compared to the Apple Core...:P

            Pagan jim
            James Quinn
    • Only Windows users believe that myth.

      No Mac user has ever said it, but it seems to be a popular
      mantra among Windows users. Perhaps it's a longing for
      something so far removed from their mundane lives.
      frgough
      • Look at the post below yours

        He sure thinks Macs are invulnerable to any malware...
        tikigawd
        • Actually there are quite a few that spout that...

          he may not...but there are a lot of very amateurish, naive but arrogant Mac users who think that.
          ItsTheBottomLine
        • He never said that.

          He asked for proof of past exploits. He never said Macs are
          invulnerable.
          msalzberg
      • Actually you are pretty wrong on that...

        There are a lot of fanboy's in these forums that say that. So while I know you probably haven't I have personally seen the more zealots paraphrase that very comment.
        ItsTheBottomLine
      • pfft

        I am told all the time how macs can't get viruses. People actually believe that. People are dumb. Get over yourself.
        evilkillerwhale@...