Focus on Apple
Apple releases Security Update 2007-007 Aug 01 2007 12:44AM
Todd Woodward (todd_woodward symantec com) (1 replies)
Re: Apple releases Security Update 2007-007 Aug 01 2007 04:01PM
Mark Senior (senatorfrog gmail com) (1 replies)
Re: Apple releases Security Update 2007-007 Aug 01 2007 07:19PM
Dave Schroeder (das doit wisc edu)

On Aug 1, 2007, at 11:01 AM, Mark Senior wrote:

> While the full list is too long to give in detail, the mDNSResponder
> item is too priceless not to post in full, I think:
>
> -----
> mDNSResponder
>
> CVE-ID: CVE-2007-3744
>
> Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10
>
> Impact: An attacker on the local network may be able to cause a denial
> of service or arbitrary code execution
>
> Description: A buffer overflow vulnerability exists in the UPnP IGD
> (Internet Gateway Device Standardized Device Control Protocol) code
> used to create Port Mappings on home NAT gateways in the Mac OS X
> implementation of mDNSResponder. By sending a maliciously crafted
> packet, an attacker on the local network can trigger the overflow
> which may lead to an unexpected application termination or arbitrary
> code execution. This update addresses the issue by removing UPnP IGD
> support. This issue does not affect systems prior to Mac OS X v10.4.
> ----
>
>
> Which I would read as - our UPnP IGD implementation is hopelessly
> broken. It can never be fixed. We give up.

Yeah, I thought that humorous, too.

But - and not to kill a good laugh - it could simply also mean,

"we're removing the vulnerable pieces until we can properly fix
them", or

"this is broken now, but is fixed in [future release]", etc.

For what it's worth, the samba issue that recently was added to
metasploit about which much hay has been made the last couple of days
(plus two other outstanding samba issues) is also fixed in SecUpd
2007-007.

- Dave0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?,0?ô0?] DM0
 *?H?÷
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??£?0?0Uÿ?0U?RRbG,k,¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 
0
 *?H?÷
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷
0????èöÆ?³G¡J[ ¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,¸iñ©7,#$0
 *?H?÷
¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?ÙxmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
070801191937Z0# *?H?÷
 1Z] ?Æm՝+2dlìv_ÊVe90¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷
?ÁÔÒ?MÌaàÀàâ&æ!ä?¤Aqn[A?X|@?õåÓ`¶?'xìm(·¹D`?Ü·bD?Xy?ËÆÿ
?i"?ÁÛÄRf²°?GVCf­?'ÆG»:×ø<ÆeîÝ/2Ädm}¿2ôàT3?ê?¦fÒ»f???

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus