Focus on Apple
Apple releases Security Update 2007-007 Aug 01 2007 12:44AM
Todd Woodward (todd_woodward symantec com) (1 replies)
Re: Apple releases Security Update 2007-007 Aug 01 2007 04:01PM
Mark Senior (senatorfrog gmail com) (1 replies)
While the full list is too long to give in detail, the mDNSResponder
item is too priceless not to post in full, I think:


CVE-ID: CVE-2007-3744

Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10

Impact: An attacker on the local network may be able to cause a denial
of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD
(Internet Gateway Device Standardized Device Control Protocol) code
used to create Port Mappings on home NAT gateways in the Mac OS X
implementation of mDNSResponder. By sending a maliciously crafted
packet, an attacker on the local network can trigger the overflow
which may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by removing UPnP IGD
support. This issue does not affect systems prior to Mac OS X v10.4.

Which I would read as - our UPnP IGD implementation is hopelessly
broken. It can never be fixed. We give up.


On 7/31/07, Todd Woodward wrote:
> Apple today release a fairly hefty security update: APPLE-SA-2007-07-31 Security Update 2007-007
> The updates are for:
> Mac OS X v10.3.9
> Mac OS X Server v10.3.9
> Mac OS X v10.4.10
> Mac OS X Server v10.4.10
> Too numerous to detail, here is a shortlist of items updates:
> Bzip2
> CFNetwork (2)
> CoreAudio (3)
> Cscope
> Gnuzip
> iChat
> Kerberos
> mDNSResponder
> PDFKit
> Quartz Composer
> Samba (3)
> SquirrelMail (Panther and Tiger Server Only)
> Tomcat (Panther and Tiger Server Only)
> WebCore (4)
> WebKit (2)
> Security Response Researcher
> Focus-Apple Moderator
> ________________________________________
> Todd D. Woodward
> Technical Support Engineer
> NetBackup Support
> Symantec Corporation
> ________________________________________
> Office:541-335-7441
> ________________________________________

[ reply ]
Re: Apple releases Security Update 2007-007 Aug 01 2007 07:19PM
Dave Schroeder (das doit wisc edu)


Privacy Statement
Copyright 2010, SecurityFocus