Mac OSX Security update released...

Apple Computer ^ | 6/8/2005 | Apple.com

[Swordmaker]

About Security Update 2005-006

This document describes Security Update 2005-006, which can be downloaded and installed using Software Update, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred, and any necessary patches or releases are available. To learn more about Apple Product Security, visit the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to Use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2005-006

• AFP Server
  CVE-ID: CAN-2005-1721
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: A buffer overflow in support for legacy clients could permit the running of arbitrary code.
  Description: The Mac OS X AFP Server supports a number of legacy clients. A buffer overflow in support for one of these clients could permit arbitrary code to run. This update modifies the AFP Server to correct this buffer overflow. This issue does not affect systems prior to Mac OS X 10.4.
  
• AFP Server
  CVE-ID: CAN-2005-1720
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: On an AFP Server that uses an ACL-enabled volume for storage, copying a file with POSIX-only permissions can leave an ACL attached.
  Description: When copying a local file to an AFP Server that is using an ACL-enabled volume for storage, a temporary ACL is attached to the remote object during the copy process. This ACL can be left behind if the file copy went into a directory that was not using ACLs. The ACL that is left behind could cause confusion, as it will override the POSIX file permissions for the file owner. The ACL does not permit other users to access the file. This update modifies the AFP Server so that it correctly removes the ACL that is used for copying the file. This issue does not affect systems prior to Mac OS X 10.4.
  
• Bluetooth
  CVE-ID: CAN-2005-1333
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X v10.3.9, Mac OS X Server v10.3.9
  Impact: Directory traversal via Bluetooth object exchange
  Description: Due to insufficient input checking, the Bluetooth object exchange services could be used to access files outside of the default file exchange directory. This update provides an additional security improvement over the previous release by adding enhanced filtering for path-delimiting characters. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue.
  
• CoreGraphics
  CVE-ID: CAN-2005-1722
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: Applications that use either PDFKit or CoreGraphics to render poorly-formed PDF documents could abort due to a NULL pointer dereference.
  Description: If a poorly-formed PDF document is passed to PDFKit or CoreGraphics for rendering, the rending engine will detect an error and stop processing. As part of the cleanup process, a check for a NULL pointer is omitted. This omission can cause an application that handles PDF documents to abort, requiring that the application be restarted. CoreGraphics is updated to correctly handle the cleanup of poorly-formed PDF documents. This issue does not affect systems prior to Mac OS X 10.4. Credit to Chris Evans for reporting this issue.
  
• CoreGraphics
  CVE-ID: CAN-2005-1726
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: Console users can gain root privileges.
  Description: The CoreGraphics Window Server is updated to disallow unprivileged users from launching commands into root sessions. This issue does not affect systems prior to Mac OS X v10.4.
  
• Folder Permissions
  CVE-ID: CAN-2005-1727
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: Potential file race condition via world- and group-writable permissions on two directories.
  Description: Secure folder permissions are applied to protect the system's cache folder and Dashboard system widgets. This exposure does not exist in systems prior to Mac OS X v10.4. Credit to Michael Haller at info@cilly.com for reporting this issue.
  
• launchd
  CVE-ID: CAN-2005-1725
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: The setuid program launchd can allow local privilege escalation.
  Description: A vulnerability in launchd allows local users to gain ownership of arbitrary files. The launchd command is updated to safely change ownership of files. Credit to Neil Archibald of Suresec LTD for reporting this issue. This issue does not affect systems prior to Mac OS X v10.4.
  
• LaunchServices
  CVE-ID: CAN-2005-1723
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: File extensions and mime types marked as unsafe but not mapped to an Apple UTI could bypass download safety checks.
  Description: Mac OS X 10.4 contains a database of known unsafe file extensions and mime types. If an addition to the unsafe types database was made without a corresponding Apple UTI (Uniform Type Identifier), then a query on certain forms of the file extension or mime type would not be marked as unsafe. All entries in the current unsafe type database are mapped to an Apple UTI. This update corrects the query code to correctly identify unsafe file extensions and mime types regardless of the presence of an Apple UTI. This issue does not affect systems prior to Mac OS X 10.4.
  
• MCX Client
  CVE-ID: CAN-2005-1728
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: Portable Home Directory credentials may be available to local system users.
  Description: MCX Client is updated to not log portable home directory mounting credentials. This issue does not affect systems prior to Mac OS X v10.4.
  
• NFS
  CVE-ID: CAN-2005-1724
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: An NFS export that's restricted using -network and -mask flags will export to "everyone."
  Description: The use of -network and -mask on a filesystem listed in the NFS exports file would result in that filesystem being exported to "everyone." This update modifies the NFS exporting code to correctly set the network and mask parameters. This issue does not affect systems prior to Mac OS X 10.4.
  
• PHP
  CVE-ID: CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X v10.3.9, Mac OS X Server v10.3.9
  Impact: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code.
  Description: PHP is updated to version 4.3.11 to address several issues. The PHP release announcement for version 4.3.11 is located at http://www.php.net/release_4_3_11.php.
  
• VPN
  CVE-ID: CAN-2005-1343
  Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1
  Impact: A local user can obtain root privileges if the system is being used as a VPN server.
  Description: A buffer overflow in "vpnd" could be used by a local user to obtain root privileges if the system is configured as a VPN server. This issue does not occur on systems that are configured as a VPN client. This issue cannot be exploited remotely. This update prevents the buffer overflow from occurring. This issue was fixed for Mac OS X v10.3.9 via Security Update 2005-005. Credit to Pieter de Boer of the master SNB at the Universiteit van Amsterdam (UvA) for reporting this issue.

[Swordmaker]

June security update for OSX. Click on Software Update under the Apple menu.

PING!!!!

If you want on or off the Mac Ping List, Freepmail me.

[calenel]

But how can this be? Oh! The humanity!

[TheOtherOne]

Ok Swordmaker, you solved my http link in email problem, so I have another MAC question for you.

I appreciate any advice.

I like to see a preview of a file, especially a jpeg. A finder preview. The icon can be a preview of the file. Is there a way to make that a default. I have to run some files though another program so I can see actual visual icons on the desktop.

Thanks.

[John Valentine]

But how can this be? Oh! The humanity!

Are you trying to be sarcastic or gloating?

If so, why don't you wait until the first Mac virus or worm is detected replicating or infecting computers in the wild. It seems to me that it would offer a far more satifying gloating than these rather ordinary security upgrades.

If that was your point at all. I am left wondering.

[Swordmaker]

I like to see a preview of a file, especially a jpeg. A finder preview. The icon can be a preview of the file. Is there a way to make that a default. I have to run some files though another program so I can see actual visual icons on the desktop.

Some graphic files do not include a "thumbnail" that can be used as a preview... but the Mac addresses this. I

f you list your files in the "column" mode simply highlight a graphic and the next left column will display a preview of that graphic.

What's really cool is that if the file is a .mov, .mpeg, or other file supported by Quicktime the preview will be a full movie with sound! (without loading or invoking Quicktime.)

If its an MP3, .wav, .ACC or other sound file playable in iTunes, it will play the audio. (also without opening iTunes)

Unfortunately, this does not work with WMP files.

[Swordmaker]

But how can this be?

Very simply. OSX is, at its core, FreeBSD Unix. There are literally hundreds, if not thousands, of parts of Unix that are developed by many other coders not related to Apple. When THEY find a security issue and provide a patch, Apple includes it in their next security update along with the patches Apple finds are necessary to their code.

It's called being pro-active in security. It is one of the reasons that UNIX and OSX are among the most secure operating systems in the world.

[Swordmaker]

oops... make that "the next RIGHT column will display a preview".

[calenel]

Sarcastic, not gloating. OSX, nor UNIX in all its glorious flavors, suffer from an excess of perfection in spite of the propaganda put forth by their adherents.

"If so, why don't you wait until the first Mac virus or worm is detected replicating or infecting computers in the wild."

Tell me, do you have any sort of passing familiarity with epidemiology? There simply aren't enough targets for a Mac virus to spread easily. Should it ever come to pass that the Mac population is dense enough, viruses will be able to survive.

[John Valentine]

Should it ever come to pass that the Mac population is dense enough, viruses will be able to survive.

Already debunked.

[calenel]

As you wish.

[Swordmaker]

Viewing previews of images in the Finder

Thanks... I had forgotten that. I seldom use the icon view, prefering the columnar view.

[Swordmaker]

Tell me, do you have any sort of passing familiarity with epidemiology?

Do you have any sort of passing familiarity with the epidemiology term "vector"?

For a virus, live or computer, to be passed from one host to another, you have to have a vector... For computers, this means a way of transmitting and causing the virus to execute its code automatically. This is where OSX is most secure... no vector beyond the psychological approach, persuading a user to install and run the mal-ware, ala trojan programs. While certainly psych vectoring is not beyond imagination, mass infections by such means is.

The "security by obscurity" canard has been shot down many times. When virus writers release malware attacking a piece of hardware with fewer than 40,000 installed units or viruses tailored to a piece of software with only 350,000 sales, why isn't the Mac OSX operating system with 20,000,000 installed units attractive to them? As one expert Unix coder put it: "Making an OSX or Unix virus is not impossible... but, on a scale of 1 to 10, creating one is a 9.5!" When queried where a Windows virus came on his scale, he said "About 2."

[calenel]

As one expert Unix coder put it: "Making an OSX or Unix virus is not impossible... but, on a scale of 1 to 10, creating one is a 9.5!" When queried where a Windows virus came on his scale, he said "About 2."As you wish, too.

[TheOtherOne]

make sure your desktop finder window view is the three column type. click once/select on any jpg. you will get a new column to the right with the file info and a little triangle pointing to the right. click/turn the triangle down and the preview of the one jpeg will appear, and afaik,selecting any next jpeg will default view with the triangle down and the preview available. as for seeing all the icons of jpegs with preview thumbnails in the actual file icons,check the docs of the program you are using to export/manipulate files. iirc, there is usually a choosable preference for saving the files with or without the thumbnail of the image in the finder icon.

I have been using a free program called viewit to add 128x128 finder previews of jpegs, and it works pretty good. It just seems like there should be some OSX default that automatically shows full image icons in a folder or desktop.

The tiny ones on the 3 column display are okay, but not if you want to see what you are looking at.

Thanks for the tips though.

[Panerai]

If you have .jpg; .gif; .tif files and you want OS X to show a preview of those files by default, do the following:

1. On the Desktop, to go the top to FINDER > VIEW > Show View Options > and then a window opens up titled "desktop"; you have some options > CLICK ON "Show Icon Preview".

2. To set the same preferance for folders: Open a folder > Finder > View > Show View Options > (now you can set preferances only for this folder or all folders) click on "show icon preview"

Hope this helps

[TheOtherOne]

Thanks for the tips. I have been using some programs to manage my media files. Viewit and Iviewmediapro, anyway, they allow you to see large thumbnails of your video and photo files. I have converted some of my photo files, and now, on the desktop, the icon, instead of a jpeg defaut is a mini picture. This is obviously way better. But I have to run every file through a program to get the effect. I was wondering if there was some way to always see the full image. I guess it is not usually encoded unless specified when saved or added later.