Stan's List

This is recommended for all users and improves the security of the following components:

bzip2
CFNetwork
Core Audio
cscope
gnuzip
Kerberos
mDNSResponder
PDFKit
PHP
Quartz Composer
samba
WebKit
WebCore

Security Update 2007-006 has been incorporated into this security update.
For detailed information on this update, please visit this website.

This security update includes Samba patches for alert CVE-ID: CVE-2007-2446, CVE-ID: CVE-2007-2447 and CVE-ID: CVE-2007-2407, as well of patches for other components.

ComputerWorld responded to my comment that Apple has patched Samba.

Here is their reply:

Although you are correct in pointing out that an Apple-specific Samba module was patched in the 2007-003 security update (and in the associated update to 10.4.9), none of the flaws patched by Samba in mid-May correspond to this single heap buffer overflow fixed in March by Apple.

Symantec, as the story mentions, has verified that the Samba vulnerabilities exist in a fully-patched 10.4.10 edition, in other words post 2007-003.

Also, credit to the 5/14 heap buffer overflow flaws in Samba (there are four all told) goes to Tipping Point’s Zero-Day Initiative bug bounty program, while the one in 2007-003 went to someone at New Zealand’s Massey University.

Check out the Samba release notes, specifically the reference to CVE-2007-2446, which covers the four buffer overflow bugs; and CVE-2007-2446.

In particular, the overflow vulnerabilty that RISE exploit is the one
detailed by ISS’ X-Force.

Best,

Gregg Keizer, ComputerWorld

What’s New in Firefox 2.0.0.6

One critical vulnerability patched and a moderate one (More information can be found in the link below).

MFSA 2007-27 Unescaped URIs passed to external programs

MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows

Download Page

AppleInsider take a long hard look at Apple’s Bluetooth headset. At $129, one might expect equal performance with headsets 1/3 the price. As is pointed out, there is more to the package thus making the price more palatable. Yet, the 5.5 hours of talk time or 72 hours of standby should be compared to say my Motorola HS850 ($40 at Costco) 8 hours of talk time and 200 hours of stand-by time. More …

Business Line, the web blog of India’s Business Daily, recognizes the iPhone as a computer, or nearly one. They report that most security experts agree that Apple made the right decision not to release an iPhone Software Development Kit. This makes it decidedly more difficult to compromise. As pointed out, except for the claim by Independent Security Evaluators, no-gooders must deal directly with the user, by way of malicious web pages or phishing email. More …

Editor: I was just explaining to a friend how to set the ring sound. Just go into “Settings” (Preferences) and access “Sounds”, just like a Mac. Ok, a little different, but it is like a Mac.

I have had my iPhone for a about a month, and I am still asked to show it off. Just today, while getting a hair cut, I was asked to dig the iPhone out to show to the stylist. I think she was distracted, as this is worst hair I have received in quite a while. As a plus, she said she was now thinking of getting one.

Reception and sound quality are the iPhone’s untold best features.

I have 5 bars when ever I look. What I need to do is have a conversation while on the 680 FWY going through Alamo (East bay area, South of Walnut Creek). There is an infamous cell phone drop out area there.

Whether it be headsets or iPod functions, I consider the sound quality top notch. I use the Motorola HS 850 wireless headset and the Motorola T305 Hands free wireless device for the car. The iPhone transmissions are excellent. iPod and movie viewing are enhanced by the quality of the sound. Variances when listening to music are greatly affected by quality of material, such as source material, amount of compression.and bit depth.

iPhone does have the difficulty with multiple wireless Bluetooth devices, that I also experienced with my Sony Ericsson T616 Cell Phone. If you have more than one device paired, the cell phone/iPhone will have difficulty letting go of one, or connecting to one after connecting with the other. As Bob Shayler confirms, this is true with all cell phones. One example if this is, if you are using the ear piece, the iPhone will take a few seconds to make to connect through the ear piece, especially if you have been using the other device. In fact, you might not be able to hear the conversation, as the iPhone is not using its speaker and you can not hear anything through the headset. It is best to not switch devices while the iPhone (or cell Phone) is turned on.

If you have a Mac in a mixed environment, Symantec warns of a vulnerability in Samba (open source), which is used for file and print sharing with Windoze. The threat gained more importance with attack code development. This was reported to have been passed on to Apple on May 14, the same day Samba was patched by Samba community.

The article by Computerworld, is not correct that Samba was last updated March 2005, as Security Update 2007-003 addressed a heap buffer overflow vulnerability in Samba, which appears to be this very vulnerability.

With all the attention on the iPhone, and previously the iPod, there was thought Apple might consider getting out of the computer business. The truth is more likely the halo effect and Apple making the Mac an excellent bargain, comparatively. Just get the consumer to think about it. The Associated Press, carried by The Arizona Republic, reports on how impressed the market is about the Mac’s contribution to the bottom line. More …

Think Secret has some screen shots of parts of Leopard desktop. Icons looking more realistic, are included in a number of GUI improvements These were added in the last developer’s release. As one reader described, “I’m a-likin’!” More …

iPhoneHacks.com provides information and links to the latest iPhone hacks. Some recent samples are how to use iActivator to activate your iPhone without AT&T or iTunes, and use iPhone as a web modem for your laptop. Add ringtones anyone? More …