Posted on 04/20/2007 7:51:27 PM PDT by jdm
On Thursday, Apple issued a megapatch of bug-fixes for its Mac OS X desktop and OS X server systems. The fixes, 25 in all, are itemized in the company's Security Update 2007-004.Apple recommended that all OS X users install the update. It said that the vulnerabilities could lead to a system crash or allow an intruder to run unauthorized software on the computer. The fixes relate to various components and services in the Mac OS X operating system, including the AirPort driver, the Help view and the Installer application.
About half of the patches relate to security Relevant Products/Services, such as remote code execution that could permit a hacker to obtain control over a Mac, although there have been no such reported attacks.
Kerberos, iChat
Several of the vulnerabilities are within Kerberos, a network authentication protocol developed at M.I.T. "Running the Kerberos administration daemon may lead to an unexpected application termination or arbitrary code execution with system privileges," Apple said in its Update. Apple credited the M.I.T. Kerberos Team with reporting the issue.
The Libinfo component and LoginWindow software were identified as having flaws that could allow a user to bypass authentication. Video chat was also flagged as being vulnerable. The iChat component had a vulnerability that could allow a malicious user to remotely execute code through a malformed chat request.
Apple also identified a vulnerability in Airport that could allow remote execution in a legacy system, and a patch was included. However, the latest Mac Pro, iMac or MacBook systems are not affected.
The patches also deal with eight identified vulnerabilities in the way the operating system handles disk images. Apple said that mounting a malicious disk image could lead to a security breach.
Largest in March
In early March, Apple also released a large set of fixes. In that batch, the largest so far this year, there were 30 patches for 22 applications. In 2007, the Cupertino, California-based company has issued an average of one security update per month. This is a faster pace than in 2006, when Apple released eight sets of patches in the entire year.
This week's update also addresses several zero-day bugs that were revealed as part of the Month of Apple Bugs in January. The Month of Apple Bugs was a project by two researchers, Kevin Finisterre and the pseudonymous LMH, who reported one flaw per day in Mac OS X or in Mac applications. Each of the vulnerabilities was a previously undocumented security issue.
LMH also led the Month of Kernel Bugs last November. Last summer, researcher HD Moore had orchestrated a Month of Browser Bugs, which focused on unpatched security flaws in Firefox, Internet Explorer, Safari, and Opera.
I’ve got 152 episodes taped. I’ve got almost all of Joel. I didn’t think much of Mike so I didn’t tape those. It was a great program.
Open Source PLUS a 21 Billion dollar corporation that stands behind it, supports it, and develops improvements for it. Add in professional grade applications that are designed by other multibillion dollar businesses who also stand behind their products.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.