Apple Patches 17 Mac OS X Vulnerabilities
2007-05-28 17:06:00
On Thursday, Apple released its fifth major security update for Mac OS X. The release fixes 17 vulnerabilities, about one-third of which leave the door open for hackers to commandeer a Mac remotely.
Unlike other 2007 security updates, Apple's Thursday release did not patch any vulnerabilities stemming from the Month of Apple Bugs project. And most of the bugs were ranked less than critical on Apple's rating scale.
About half of the vulnerabilities identified in Security Update 2007-005, for example, do little more than lead to possible attacks that cause the affected component to crash. Only five of the flaws would let attackers put malicious code on a victim's computer.
Dangerous Bugs
The CoreGraphics bug is among the most serious vulnerabilities patched in the latest security release. By enticing a user to open a maliciously crafted PDF, an attacker could trigger an overflow that might lead to an unexpected application crash or arbitrary code execution. The Apple security update addresses the issue by performing additional validation of PDF files.
Also of note is a dangerous flaw in iChat, Apple's instant-messaging service. A buffer-overflow vulnerability exists in the code used to create iChat port mappings on home NAT gateways.
By sending a maliciously crafted packet, an attacker on the local network could trigger an overflow that could lead to an unexpected application crash or arbitrary code execution. The update addresses the issue by performing additional validation when processing data packets in iChat.
More Back Doors
In certain circumstances, an implementation issue in Alias Manager will not show identically named files contained in identically named mounted disk images. This can leave some wiggle room for attackers.
By enticing a user to mount two identically named disk images, an attacker could mislead the user into opening a malicious program. The update addresses the issue by performing additional validation.
In other flaws, a cryptographic weakness in fetchmail could lead to the disclosure of fetchmail passwords. Meanwile, a local user might obtain system privileges through a format string vulnerability in VPN, and a file-handling issue that exists in texinfo might allow a local user to create or overwrite files with the privileges of the user running texinfo.
Mac users can download the security updates from Apple's site or by using the Mac's built-in update tool.
|
|
Open source JBoss Rules gains speed
JBoss is announcing Monday a faster version of JBoss Rules, the company's open source business rules engine.
Google offers to run site search engines
Google Inc. is offering to run the search engines of small Web sites for as little as $100 per year, marking the company's latest attempt to make more money off technology that already steers much of the Internet's traffic.
Bloggers consider forming labor union
In a move that might make some people scratch their heads, a loosely formed coalition of left-leaning bloggers are trying to band together to form a labor union they hope will help them receive health insurance, conduct collective bargaining or even set professional standards.
Apple plans iMac desktop upgrade
Apple plans to upgrade its iMac desktop PC line on Tuesday with a flashier design and thinner keyboard, according to comments and photos on industry blogs. Apple did not return calls for comment, but has already announced that it will hold a news conference that day at its Cupertino, California, headquarters.
IBM Information Server Blade does data integration
For years IBM has doggedly pursued the massive problem of pulling data strewn across the enterprise into an integrated, harmonious whole. At LinuxWorld on Monday, the company introduced IBM Information Server Blade, an appliance-like bundle intended to make the Herculean task of enterprise data integration faster and easier.
Mozilla Says It Can Patch Flaws in Ten Days
A Mozilla Corp. executive has vowed that his company can patch any critical vulnerability in its software within 10 days, a sign that Mozilla may intend to step up its efforts to improve security.
HP Offers Open-Source Code
Hewlett-Packard is releasing to the open source community the computer code for a software programming interface that helps manage large data sets in high performance computing environments.
OSA debuts CCV interoperability prototype
Nonprofit vendor consortium the Open Solutions Alliance (OSA) made good on its April promise to deliver a prototype demonstrating interoperability between open-source and proprietary business applications in time for LinuxWorld this week.
Dell, Red Hat mix and match OS and application stack
Red Hat and Linux continued its move up and down the enterprise operating stack with the announcement this week by Dell that it would offer its customers the Red Hat middleware stack on Dell PowerEdge servers.
EnterpriseDB releases PostgreSQL distribution
EnterpriseDB has released a new distribution of the PostgreSQL open-source database, hoping to expand the use of the software and compete better with MySQL.
|
