or Connect
AppleInsider › Forums › Software › Mac OS X › Apple security update plug holes in Mac OS X 10.4.7
New Posts  All Forums:Forum Nav:

Apple security update plug holes in Mac OS X 10.4.7

post #1 of 17
Thread Starter 
Apple Computer on Tuesday clamped down on a number of vulnerabilities in its Mac OS X operating system that could pose as backdoors for hackers or malicious users.

In a recommended security release labeled Security Update 2006-004 -- the fourth such update this year -- Apple said it tightened loose ends in AFP Server, Bluetooth, Bom, DHCP, dyld, fetchmail, gnuzip, ImageIO, LaunchServices, OpenSSH, telnet and WebKit.

In particular, the update improves Bluetooth Setup Assistant by increasing the length of the automatically generated pairing passkey from six characters to eight characters. It also adds additional checks to prevent against maliciously-crafted GIF, TIFF, Radiance or Canon RAW images that could lead to application crashes and arbitrary code execution.

Similarly, Apple increased preventative measures surrounding maliciously-crafted: Zip archives, BOOTP requests, TELNET servers and HTML documents. It also patched a vulnerability where an attacker attempting to log in to an OpenSSH server with a nonexistent account could causes the authentication process to hang. "An attacker can exploit this behavior to detect the existence of a particular account," Apple said. "A large number of such attempts may lead to a denial of service."

Another improvement focuses on Safari's ability to detect safe files from those that could potentially include malicious JavaScript files. Previous versions of the browser may have erroneously identified certain files containing HTML as "safe". If such a file is downloaded in Safari and Safari's "Open `safe' files after downloading option is enabled, the HTML document would automatically be opened from a local URI. "This would allow any JavaScript code embedded in the document to bypass access restrictions normally imposed on remote content," Apple explained. "This update provides additional checks to identify potentially malicious file types so that they are not automatically opened."

Other security improvements in Security Update 2006-004 target access loopholes in File Sharing and a vulnerability in the Mac OS X dynamic loader where malicious local users could influence the loading of dynamic libraries in order to gain elevated privileges.

A complete list of security enhancements is available through Apple's support site.
post #2 of 17
hmmm, ok.
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
post #3 of 17
Mmmmm... security updates...

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #4 of 17
Me thinks these are already part of Leopard. I bet a lot of the improvements in 10.4.6 and 10.4.7 came from the work on Leopard. The long development cycle of each (10.4.7 is 8J135) makes me think this. Just a hunch.
post #5 of 17
Quote:
Originally posted by Cubert
Me thinks these are already part of Leopard. I bet a lot of the improvements in 10.4.6 and 10.4.7 came from the work on Leopard. The long development cycle of each (10.4.7 is 8J135) makes me think this. Just a hunch.

Well I'd hope that security holes patched in Tiger wouldn't show up in Leopard.
"Humankind -- despite its artistic pretensions, its sophistication, and its many accomplishments -- owes its existence to a six-inch layer of topsoil and the fact that it rains."
Reply
"Humankind -- despite its artistic pretensions, its sophistication, and its many accomplishments -- owes its existence to a six-inch layer of topsoil and the fact that it rains."
Reply
post #6 of 17
Quote:
Originally posted by Ireland
hmmm, ok.

great post Ireland. FILLED with substance.
post #7 of 17
Quote:
Originally posted by icfireball
great post Ireland. FILLED with substance.

same with you icfireball and of course, same with this post
post #8 of 17
Has Apple ever been this detailed on the security holes before? It seems like some malicious users could get some ideas to exploit on the users who have yet to install this update.
post #9 of 17
This level of detail reminds me of those news stories after Sept. 11 that said terrorists could poison the water supply, kill our livestock, fly over Disneyworld in a cropduster filled with weaponized anthrax... and so on. It was like the press was giving Tom-Clancy-level "How To" tips on future terrorism efforts...

Shut up, you're giving them ideas!
post #10 of 17
Quote:
Originally posted by purpleshorts
This level of detail reminds me of those news stories after Sept. 11 that said terrorists could poison the water supply, kill our livestock, fly over Disneyworld in a cropduster filled with weaponized anthrax... and so on. It was like the press was giving Tom-Clancy-level "How To" tips on future terrorism efforts...

Shut up, you're giving them ideas!

No shit... BTW, if I recall correctly it always seems the week before a big keynote as such there is some type of system / software update pushed out the gates.
post #11 of 17
Quote:
Originally posted by purpleshorts
This level of detail reminds me of those news stories after Sept. 11 that said terrorists could poison the water supply, kill our livestock, fly over Disneyworld in a cropduster filled with weaponized anthrax... and so on. It was like the press was giving Tom-Clancy-level "How To" tips on future terrorism efforts...

Shut up, you're giving them ideas!

post #12 of 17
It's good that Apple lists all the vulnerbilities, it's about time we actually know what things are getting secured. Also it encourages people to upgrade, when they read all the horrible things. Not only that you get more respect from security research firms & hackers if you are just honest about flaws.
post #13 of 17
Beyond Apple specific technologies, all the listed vulnerabilities are posted with their respective project owners. All Apple specific technologies that incorporate any of these open source projects are encouraging people to upgrade their software as a forewarning so we don't get a bunch of kneejerk reactions proclaiming Apple fails to be proactive on adding these fixes in their tools that are fixed by updates to these open source projects.

For example, if OpenSSH has a list of fixes it behooves Apple to get them into their tree, fixed, QA tested and then releases ASAP.
post #14 of 17
I just notice something since I installed the security update. It seems no sound comes from Flash anymore. I first noticed it when trying to view a movie in YouTube. A quick trip to a few other Flash sites had the same thing - no sound. I rebooted, reinstalled Flash... nothing.

Any ideas?
post #15 of 17
Check Audio MIDI Setup. Your sampling rate may be too high (96 kHz?). Try 44.1 kHz.
post #16 of 17
Quote:
Originally Posted by Chucker

Check Audio MIDI Setup. Your sampling rate may be too high (96 kHz?). Try 44.1 kHz.

Both my Line In and Line Out rates are at 44.1
post #17 of 17
Hmmmm, I don't know what did it, but now sound in Flash is working again.

I had also noticed that every time I used my caps lock key, my computer would announce "caps Lock On/Off", even though I checked that VoiceOver was turned off. Restarting got rid of that.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple security update plug holes in Mac OS X 10.4.7