dcsimg

Apple Issues Mega Security Update

By Ryan Naraine (Send Email)
Posted Sep 9, 2004


Computer maker Apple Wednesday released a security update to fix more than a dozen flaws in the Jaguar and Panther versions of its flagship Mac operating system.

Apple Wednesday released patches for more than a dozen flaws in the Jaguar and Panther versions of the Mac operating system.

According to an advisory from Apple, the most serious flaw could permit remote attackers to execute arbitrary code and potentially take over a user's system.

The mega patch fixes holes in several components of Max OS X, including CoreFoundation, IPSec, and the Kerberos 5 authentication system, which MIT recently patched.

Apple also included fixes for its Safari browser along with patches for components like libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync and tcpdump.

Apple said the CoreFoundation fix adds validity check to environment variables that could be manipulated to cause a buffer overflow.

"By manipulating local environment variables, a program could potentially be leveraged by a local attacker to execute arbitrary code," the company warned.

The company said that Mac users were not at risk of the more serious Kerberos flaw, noting, "The buffer overflow can only be exploited if 'auth_to_local_names' or 'auth_to_local' support is also configured in the edu.mit.Kerberos file. Apple does not enable this by default."

In the Safari browser, Apple patched a hole that could allow an untrusted Web site to inject content into a frame intended to be used by another domain.

"A web site that uses multiple frames can have some of its frames replaced with content from a malicious site if the malicious site is visited first. The fix imposes a set of parent/child rules preventing the attack," the company said.

This article was originally published on internetnews.com.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.