Apple security update plug holes in Mac OS X 10.4.7

Posted:
in macOS edited January 2014
Apple Computer on Tuesday clamped down on a number of vulnerabilities in its Mac OS X operating system that could pose as backdoors for hackers or malicious users.



In a recommended security release labeled Security Update 2006-004 -- the fourth such update this year -- Apple said it tightened loose ends in AFP Server, Bluetooth, Bom, DHCP, dyld, fetchmail, gnuzip, ImageIO, LaunchServices, OpenSSH, telnet and WebKit.



In particular, the update improves Bluetooth Setup Assistant by increasing the length of the automatically generated pairing passkey from six characters to eight characters. It also adds additional checks to prevent against maliciously-crafted GIF, TIFF, Radiance or Canon RAW images that could lead to application crashes and arbitrary code execution.



Similarly, Apple increased preventative measures surrounding maliciously-crafted: Zip archives, BOOTP requests, TELNET servers and HTML documents. It also patched a vulnerability where an attacker attempting to log in to an OpenSSH server with a nonexistent account could causes the authentication process to hang. "An attacker can exploit this behavior to detect the existence of a particular account," Apple said. "A large number of such attempts may lead to a denial of service."



Another improvement focuses on Safari's ability to detect safe files from those that could potentially include malicious JavaScript files. Previous versions of the browser may have erroneously identified certain files containing HTML as "safe". If such a file is downloaded in Safari and Safari's "Open `safe' files after downloading option is enabled, the HTML document would automatically be opened from a local URI. "This would allow any JavaScript code embedded in the document to bypass access restrictions normally imposed on remote content," Apple explained. "This update provides additional checks to identify potentially malicious file types so that they are not automatically opened."



Other security improvements in Security Update 2006-004 target access loopholes in File Sharing and a vulnerability in the Mac OS X dynamic loader where malicious local users could influence the loading of dynamic libraries in order to gain elevated privileges.



A complete list of security enhancements is available through Apple's support site.

Comments

  • Reply 1 of 16
    irelandireland Posts: 17,616member
    hmmm, ok.
  • Reply 2 of 16
    SpamSandwichSpamSandwich Posts: 31,183member
    Mmmmm... security updates...
  • Reply 3 of 16
    cubertcubert Posts: 728member
    Me thinks these are already part of Leopard. I bet a lot of the improvements in 10.4.6 and 10.4.7 came from the work on Leopard. The long development cycle of each (10.4.7 is 8J135) makes me think this. Just a hunch.
  • Reply 4 of 16
    Quote:

    Originally posted by Cubert

    Me thinks these are already part of Leopard. I bet a lot of the improvements in 10.4.6 and 10.4.7 came from the work on Leopard. The long development cycle of each (10.4.7 is 8J135) makes me think this. Just a hunch.



    Well I'd hope that security holes patched in Tiger wouldn't show up in Leopard.
  • Reply 5 of 16
    icfireballicfireball Posts: 2,594member
    Quote:

    Originally posted by Ireland

    hmmm, ok.



    great post Ireland. FILLED with substance.
  • Reply 6 of 16
    Quote:

    Originally posted by icfireball

    great post Ireland. FILLED with substance.



    same with you icfireball and of course, same with this post
  • Reply 7 of 16
    deapeajaydeapeajay Posts: 909member
    Has Apple ever been this detailed on the security holes before? It seems like some malicious users could get some ideas to exploit on the users who have yet to install this update.
  • Reply 8 of 16
    This level of detail reminds me of those news stories after Sept. 11 that said terrorists could poison the water supply, kill our livestock, fly over Disneyworld in a cropduster filled with weaponized anthrax... and so on. It was like the press was giving Tom-Clancy-level "How To" tips on future terrorism efforts...



    Shut up, you're giving them ideas!
  • Reply 9 of 16
    crees!crees! Posts: 501member
    Quote:

    Originally posted by purpleshorts

    This level of detail reminds me of those news stories after Sept. 11 that said terrorists could poison the water supply, kill our livestock, fly over Disneyworld in a cropduster filled with weaponized anthrax... and so on. It was like the press was giving Tom-Clancy-level "How To" tips on future terrorism efforts...



    Shut up, you're giving them ideas!




    No shit... BTW, if I recall correctly it always seems the week before a big keynote as such there is some type of system / software update pushed out the gates.
  • Reply 10 of 16
    wilcowilco Posts: 985member
    Quote:

    Originally posted by purpleshorts

    This level of detail reminds me of those news stories after Sept. 11 that said terrorists could poison the water supply, kill our livestock, fly over Disneyworld in a cropduster filled with weaponized anthrax... and so on. It was like the press was giving Tom-Clancy-level "How To" tips on future terrorism efforts...



    Shut up, you're giving them ideas!




  • Reply 11 of 16
    webmailwebmail Posts: 639member
    It's good that Apple lists all the vulnerbilities, it's about time we actually know what things are getting secured. Also it encourages people to upgrade, when they read all the horrible things. Not only that you get more respect from security research firms & hackers if you are just honest about flaws.
  • Reply 12 of 16
    mdriftmeyermdriftmeyer Posts: 7,281member
    Beyond Apple specific technologies, all the listed vulnerabilities are posted with their respective project owners. All Apple specific technologies that incorporate any of these open source projects are encouraging people to upgrade their software as a forewarning so we don't get a bunch of kneejerk reactions proclaiming Apple fails to be proactive on adding these fixes in their tools that are fixed by updates to these open source projects.



    For example, if OpenSSH has a list of fixes it behooves Apple to get them into their tree, fixed, QA tested and then releases ASAP.
  • Reply 13 of 16
    jabohnjabohn Posts: 533member
    I just notice something since I installed the security update. It seems no sound comes from Flash anymore. I first noticed it when trying to view a movie in YouTube. A quick trip to a few other Flash sites had the same thing - no sound. I rebooted, reinstalled Flash... nothing.



    Any ideas?
  • Reply 14 of 16
    chuckerchucker Posts: 5,089member
    Check Audio MIDI Setup. Your sampling rate may be too high (96 kHz?). Try 44.1 kHz.
  • Reply 15 of 16
    jabohnjabohn Posts: 533member
    Quote:
    Originally Posted by Chucker


    Check Audio MIDI Setup. Your sampling rate may be too high (96 kHz?). Try 44.1 kHz.



    Both my Line In and Line Out rates are at 44.1
  • Reply 16 of 16
    jabohnjabohn Posts: 533member
    Hmmmm, I don't know what did it, but now sound in Flash is working again.



    I had also noticed that every time I used my caps lock key, my computer would announce "caps Lock On/Off", even though I checked that VoiceOver was turned off. Restarting got rid of that.
Sign In or Register to comment.