Australian IT JOBS : Sydney IT jobs, UNIX jobs, Linux jobs, Java jobs, ASP jobs Linux.conf.au Linux.conf.au
Technology news and Jobs arrow Information Technology News arrow Bumper bundle of security patches for Mac OS X
Bumper bundle of security patches for Mac OS X PDF Print E-mail
Written by Stephen Withers   
Wednesday, 19 December 2007
Page 2 of 2
The Software Update update is an interesting one. It has long been known that online software update mechanisms may be open to a 'man in the middle' attack - if a miscreant could find a way to intercept traffic to the update server, it would be possible to deliver malware to the computer being updated. Apparently Mac OS X 10.5 introduced a feature that allowed the execution of external command scripts delivered by the (supposed) update server, allowing the execution of arbitrary commands. This feature has been disabled by Security Update 2007-009.

A swag of other components are also updated. Among the more interesting issues fixed by Security Update 2007-009 are:

"Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission" (10.5 only) Are you running as an admin user? For which folders do you have write access? Potentially very nasty.

"Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution" (10.4 only) Presumably this could be exploited via a malicious disk image file. Also, thumb drives are so cheap you might give them away outside an office building as a way of introducing your malware into the target organisation.

"Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution" (10.4 only)

"Opening an executable mail attachment may lead to arbitrary code execution with no warning" (10.5 only) Another nasty one. While users should be very careful of opening executable attachments or downloads, the fact that the OS would warn in some circumstances but not others adds to the risk involved. How this previously-fixed bug found its way back into Mac OS X 10.5 remains a mystery.

Security Update 2007-009 can be downloaded using Software Update or via Apple Downloads .

Tags See All Tags


Apple  Macintosh  Software  Stephen Withers  Support and maintenance  security 

Get stories like this delivered daily - FREE - subscribe now
When you subscribe get a 12 months license for LiveProject
Valued at $99 USD


LiveWire - Desktop alerts Download the FREE iTWire desktop alert widget LiveWire - Desktop alerts


Del.icio.us!

<< Start < Prev 1 2 Next > End >>
 
< Prev   Next >
JobsWire Technology Jobs in Sydney
Active Directory  Apache  Software Architect  C#  C++  Cisco  Citrix Cognos  Coldfusion  CRM  Crystal Reports  Software Development  ERP  HTML  IBM  IT Infrastructure  ITIL  J2EE  Java  LAN/WAN  Linux  Lotus Notes  MS Project  .NET  Oracle  SDLC  SQL  IT Support  IT Training  UAT  UML  Unix  XML
JobWire - IT Jobs
Contact , Register , Advertise with iTWire , Links , Register , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging
Industry Releases , Submit your release now , Start submitting to iTWire , How to post video