Technology news and Jobs 
Information Technology News Major security update for Mac OS X
Information Technology News Major security update for Mac OS X | Major security update for Mac OS X |
|
|
|
| Written by Stephen Withers | |
| Friday, 20 April 2007 | |
|
Several of the bugs allow local users to obtain system privileges or execute code with elevated privileges. These are probably not very important for the average single-user Mac, but may be significant in corporate or educational environments. Also in this category are a pair of fixes to prevent a user bypassing the login and screen saver authentication dialogs. Also in this general category is a SMB networking related issue that exposed authentication credentials to other local users. More serious flaws fixed by 2007-004 include improved validation of UFS file systems to avoid an exploit involving maliciously crafted disk image files, improved validation of tar files for similar reasons, improved error reporting in Libinfo to avoid the possibility of a malicious web page from executing arbitrary code. Also significant are fixes to Installer and Help Viewer to prevent format string exploits, to the VideoConference framework used by iChat to prevent an exploitable buffer overflow, and to WebFoundation to prevent leakage of cookie information from subdomains to their parents. A potentially serious problem in Internet Sharing has been fixed, although in these days of inexpensive routers that facility is rarely used except perhaps in Mac OS X Server. A buffer overflow may be exploited by sending maliciously-crafted RTSP packets to the system, with the possibility of arbitrary code execution. One of the flaws addressed by the update was reported to Apple by Kevin Finisterre of Digital Munitions and the Month of Apple Bugs, while another was reported by Landon Fuller, the leader of the MoAB Fixes project that developed temporary patches for flaws publicised by Finisterre and 'LMH' during January 2007. 2007-004 includes a IOKit fix originally distributed in the Mac OS X 10.4.9 update, but according to Apple's release notes "due to a packaging issue it may not have been delivered to all systems." The issue it addresses is relatively serious, as it allowed any logged-in user to capture console keystrokes.{moscomment}
Get stories like this delivered daily - FREE - subscribe now When you subscribe get a 12 months license for LiveProject Valued at $99 USD  Download the FREE iTWire desktop alert widget
  |
Tags
| < Prev | Next > |
|---|
Subscribe to iTWire's daily e-newsletter now and get a FREE 12 month license to project management software valued at $99 USD. 
