Apple security update patches iChat, disk image flaws
Apple Inc. on Thursday issued a security update that stomps out four critical flaws within its Mac OS X operating system, all of which were first revealed last month as part of the "Month of Apple Bugs" project run by independent security analysts.
Specifically, the Cupertino-based company tackled two glitches affecting its iChat video conferencing software.
The first fix targets a vulnerability that left iChat's Bonjour wireless discovery open to an attack that could result in an application crash. Meanwhile, the second patches a format string vulnerability in the software's URL handler that could have allowed attackers to trigger an overflow, which could then lead to an application crash or arbitrary code execution.
Apple said it addressed the issues by performing additional validation of both Bonjour messages and AIM URLs.
The Mac maker also bandaged a memory corruption vulnerability in the Mac OS X Finder that could be triggered by a disk image containing a volume name longer than 255 bytes. The issue, which could lead to an exploitable denial of service condition and potential arbitrary code execution, was repaired through additional validation checks, the company said.
Of all the bugs targeted by the Apple security update, one that was capable of using the Mac OS X notification process to hijack root access may have posed the greatest danger to users. Apple said the issue was repaired by making the UserNotificationCenter software process drop its group privileges immediately after launching.
All four fixes are available as part of Security Update 2007-002, which was made available for Intel-based Macs running Mac OS X 10.4.8 [6.6MB], PowerPC-based Macs running Mac OS X 10.4.8 Client or Server [3.8MB], and Macs running Mac OS X 10.3.9 [1.4MB].
Specifically, the Cupertino-based company tackled two glitches affecting its iChat video conferencing software.
The first fix targets a vulnerability that left iChat's Bonjour wireless discovery open to an attack that could result in an application crash. Meanwhile, the second patches a format string vulnerability in the software's URL handler that could have allowed attackers to trigger an overflow, which could then lead to an application crash or arbitrary code execution.
Apple said it addressed the issues by performing additional validation of both Bonjour messages and AIM URLs.
The Mac maker also bandaged a memory corruption vulnerability in the Mac OS X Finder that could be triggered by a disk image containing a volume name longer than 255 bytes. The issue, which could lead to an exploitable denial of service condition and potential arbitrary code execution, was repaired through additional validation checks, the company said.
Of all the bugs targeted by the Apple security update, one that was capable of using the Mac OS X notification process to hijack root access may have posed the greatest danger to users. Apple said the issue was repaired by making the UserNotificationCenter software process drop its group privileges immediately after launching.
All four fixes are available as part of Security Update 2007-002, which was made available for Intel-based Macs running Mac OS X 10.4.8 [6.6MB], PowerPC-based Macs running Mac OS X 10.4.8 Client or Server [3.8MB], and Macs running Mac OS X 10.3.9 [1.4MB].
Comments
Apple Inc. on Thursday issued a security update that stomps out four critical flaws within its Mac OS X operating system, all of which were first revealed last month as part of the "Month of Apple Bugs" project run by independent security analysts.
I can't believe it! No... can't be!
Only Windows OS has security flaws... OSX is built on UNIX and is perfectly secure... what a bunch of bull!
Who said that Mac OS X was "perfectly" secure? Do you have a quote for that?
God did.
I can't believe it! No... can't be!
Only Windows OS has security flaws... OSX is built on UNIX and is perfectly secure... what a bunch of bull!
Don't be a jerk. OS X is a damn secure system and Apple do a great job at fixing the few cracks that develop. What's not to like? Where is the bull in that? Go and compare a certain alternative!
It's about time!
Shouldn't this comment be used about the Daylight Savings change?
It's his attempt at dry humor. Very droll.
Is that droll or troll ?
It's for the U.S.A and Canada, but not sure about the whole entire World.
Early reports indicate something about Western Australia summer time being adjusted too. (Western Australia -- that's the (almost) entire left half of the Australian continent. 8)
....all of which were first revealed last month as part of the "Month of Apple Bugs" project run by independent security analysts....
..."Independent security analysts"... Interesting. What's their beef anyway? They're all like "Oooh let's find a lot of totally obscure security issues and make Apple sweat it out... oooh we're so great...!"
I smell the hand (squirt) of Steve Ballmer in the air, somehow all seems too in sync with the Vista Launches.
Microsoft could be running a CovertOps kinda thing. Since nobody is really hacking away too hard at OSX, Microsoft hires a bunch of 1337 haXX0rs, and gives them a "Month of Apple Bugs" name, conveniently suggesting that OSX is riddled with security issues that "every month" something is being broken. Oh wait, isn't that what Bill Gates said? ""Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally.".... Hmmm.....
Month of Apple Bugs claims
"# Does "someone" pay, sponsor or support this? ex. This initiative is influenced by (random software vendor) in order to spread FUD over competitor's products?
Definitely, no way. For conspiracy theories, please watch the X Files."
"# Is this an attack, revenge, conspiracy or some kind of evil plot against Apple and the users of Apple products?
Not at all, some of us use OS X on a daily basis. Getting problems solved makes that use a bit more safe each day, for everyone else. Flaws exist, with and without people disclosing them. If we wanted to make business out of this we would be selling the issues and the proper exploit for each one. Thus, business-wise, we are wasting a good cake with this project (although software by Apple isn't really of interest in these terms, except iTunes and other high-profile applications)."
YES< a bit more safe? I'd rather these people use their Skillz to make some good freeware, rather than the stupid publicity stunt that MOAB is.
But wait, they do want money:
Advertise on this site
Support us! (goal: Mac Mini for testing, the rest donated)
Your Ad Here: help us get a Mac Mini!
Best Deals at Amazon
TechPower Premium Laptop Battery for Apple iBook M8758LL/A Laptops (A100812)
http://projects.info-pull.com/moab/
*********ARGHGH********* Just be honest about what's going on.
MOAB claims "Getting problems solved makes that use a bit more safe each day, for everyone else" -- yeah, that's what tons of people in the Apple Developer program are doing. Also, each day, for everyone else, tons of people are making nice shareware and freeware and full-blown software for the Mac.
Also edited some profanity out of above post.
Their motive has been dissected in just about every way possible on forums. It always ends up in the "they are doing this for fame" category.
At least apple was quick to fix some of these things and didn't completely ignore it.
...Their motive has been dissected in just about every way possible on forums. It always ends up in the "they are doing this for fame" category...
Interesting, thanks.
At least apple was quick to fix some of these things and didn't completely ignore it.
Who doesn't love a nice update from Apple every now and then... 8)
Who doesn't love a nice update from Apple every now and then... 8)