Serious Apple security flaws
p2p news / p2pnet:- Apple has released fixes for serious security problems. Called security enhancements, they`re recommended for all Mac users, says the company.
Security Update 2005-008 fixes are for:
- LibSystem
- LoginWindow
- QuickDraw
- QuickTimeJava
- Safari
- SecurityAgent
- SecurityServer
Separate versions are available for Mac OS X v10.3.9 and Mac OS X v10.4.2.
ImageIO – CVE-ID: CAN-2005-2747: Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Viewing a maliciously-crafted GIF image may result in arbitrary code execution.
Mail – CVE-ID: CAN-2005-2746: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: When using auto-reply rules, Mail.app may expose the contents of encrypted messages.
Mail - CVE-ID: CAN-2005-2745: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Using Kerberos Version 5 for SMTP authentication Mail.app may disclose sensitive information.
Malloc – CVE-ID: CAN-2005-2748: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Insecure file handling may result in local privilege escalation.
QuickDraw Manager – CVE-ID: CAN-2005-2744: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Viewing a maliciously-crafted PICT image may result in arbitrary code execution.
QuickTime for Java – CVE-ID: CAN-2005-2743: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: An untrusted applet may gain elevated privileges.
Ruby – CVE-ID: CAN-2005-1992: Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Ruby applications utilizing the xmlrpc module may be vulnerable to arbitrary code execution.
Safari – CVE-ID: CAN-2005-2524: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Maliciously crafted web archives could potentially allow cross-site scripting.
SecurityAgent – CVE-ID: CAN-2005-2742: Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A user with physical access to the system may be able to bypass the “Require password to wake this computer from sleep or screen saver” setting.
Securityd – CVE-ID: CAN-2005-2741: Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Malicious users may grant themselves rights to manipulate arbitrary files or perform other privileged actions.
September 23rd, 2005 at 6:19 pm
Good Job Apple. It is good to see that you are staying on top of security issues that arise as you further develop and release improved applications and operating systems.
September 24th, 2005 at 7:32 pm
Nano Nano!
September 25th, 2005 at 11:29 pm
As usual Apple is on top of its security issues and patching them. Apple never skips a month.
Most interesting, none of these theoretical “vulnerabilities” poses any actual danger since NONE of them TO DATE have EVER resulted in a worm or virus in the wild. So counting these vulnerabilities in no way measures Mac OS X’s actual security metric. Contrary what the whores at Symantec would have us believe.
The only complaint I have about the monthly Apple security updates is that each update requires a system restart. So do a lot of other updates that Apple provides and frankly, that paradigm is so last century. I would not expect it from a modern OS. Still I suppose a security update followed by a reboot puts the computer in a known good state, and that is more important than uptime (I like to brag about my uptime