Focus on Apple
Apple releases 2008-004 Security Update and Mac OS X 10.5.4 Jul 01 2008 04:05PM
Todd Woodward (todd_woodward symantec com) (1 replies)
RE: Apple releases 2008-004 Security Update and Mac OS X 10.5.4 Jul 01 2008 04:23PM
Dixon, Wayne (wcdixo aurora lib il us)
Does anybody think that with the increase of open source bugs within the Mac OS, do you think that Apple will begin to increase the frequency of security updates? Possibly separating security updates for open-source items versus Apple proprietary updates?

Wayne Dixon
Assistant Network Manager
Aurora Public Library
1 E. Benton Street
Aurora, IL 60505
Phone: 630-264-4257
Fax: 630-896-3209
Email: wcdixo (at) aurora.lib.il (dot) us [email concealed]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Todd Woodward
Sent: Tuesday, July 01, 2008 11:06 AM
To: Focus Apple
Subject: Apple releases 2008-004 Security Update and Mac OS X 10.5.4

Apple today released Security Update 2008-004 and Mac OS X 10.5.4.

The updates address the following issues:

Alias Manager

Type: Maliciously crafted volume mount; Unexpected application termination; Arbitrary code execution; Memory corruption
Platform: Mac OS X & Mac OS X Server 10.4.11 on Intel only
Resolution: Perform validation of alias data structures
Credit: None listed

CoreTypes

Type: Lack of warning when opening certain unsafe content
Platform: Mac OS X & Mac OS X Server 10.4.11 and 10.4 through 10.5.3
Resolution: Add flagging of .xht and .xhtm files to user notification
Credit: Brian Mastenbrook

c++filt

Type: Unexpected application termination; Arbitrary code execution
Platform: Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Improved format string handling
Credit: None listed

Dock

Type: Screen lock bypass via physical access
Platform: Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Disable hot corners when screen lock is active
Credit: Andrew Cassell of Marine Spill Response Corporation

Launch Services

Type: Arbitrary code execution; Race condition
Platform: Mac OS X & Mac OS X Server 10.4.11
Resolution: Additional validation of downloaded files
Credit: None listed

Net-SNMP

Type: Remote attack; spoof SNMPv3 packets; Authentication bypass
Platform: Mac OS X & Mac OS X Server 10.4.11, Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Increased validation of SNMPv3 packets
Credit: http://www.kb.cert.org/vuls/id/878044

Ruby

Type: Memory corruption; Unexpected application termination; Arbitrary code execution
Platform: Mac OS X & Mac OS X Server 10.4.11, Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Increased validation of strings and arrays
Credit: None listed

Type: Remote attack; Information disclosure
Platform: Mac OS X & Mac OS X Server 10.4.11, Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Improved validation of file names.
Credit: http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerab
ility/

SMB File Server

Type: Remote attack; Arbitrary code execution; Heap buffer overflow
Platform: Platform: Mac OS X & Mac OS X Server 10.4.11, Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Improved bounds checking
Credit: Alin Rad Pop of Secunia Research

System Configuration

Type: Local attack; Arbitrary code execution; Privilege elevation
Platform: Mac OS X & Mac OS X Server 10.4.11
Resolution: More restrictive permissions
Credit: Andrew Mortensen of the University of Michigan

Tomcat

Type: Multiple vulnerabilities; cross-site scripting attack
Platform: Platform: Mac OS X & Mac OS X Server 10.4.11
Resolution: Tomcat updated to 4.1.37
Credit: http://tomcat.apache.org/

VPN

Type: Remote attack; Unexpected application termination; Divide by zero
Platform: Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Additional validation of load balancing information
Credit: None listed

WebKit

Type: Memory corruption; Unexpected application termination; Arbitrary code execution; JavaScript
Platform: Mac OS X & Mac OS X Server 10.5 through 10.5.3
Resolution: Improved bounds checking
Credit: James Urquhart

More details can be found in the following Apple Knowledge Base document: http://support.apple.com/kb/HT2163

###

Todd D. Woodward
Technical Support Engineer
NetBackup Support
Symantec Corporation
www.symantec.com
Springfield, Oregon
--------------------
Office: 541-335-7441

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus