Stan's List

ComputerWorld responded to my comment that Apple has patched Samba.

Here is their reply:

Although you are correct in pointing out that an Apple-specific Samba module was patched in the 2007-003 security update (and in the associated update to 10.4.9), none of the flaws patched by Samba in mid-May correspond to this single heap buffer overflow fixed in March by Apple.

Symantec, as the story mentions, has verified that the Samba vulnerabilities exist in a fully-patched 10.4.10 edition, in other words post 2007-003.

Also, credit to the 5/14 heap buffer overflow flaws in Samba (there are four all told) goes to Tipping Point’s Zero-Day Initiative bug bounty program, while the one in 2007-003 went to someone at New Zealand’s Massey University.

Check out the Samba release notes, specifically the reference to CVE-2007-2446, which covers the four buffer overflow bugs; and CVE-2007-2446.

In particular, the overflow vulnerabilty that RISE exploit is the one
detailed by ISS’ X-Force.

Best,

Gregg Keizer, ComputerWorld

What’s New in Firefox 2.0.0.6

One critical vulnerability patched and a moderate one (More information can be found in the link below).

MFSA 2007-27 Unescaped URIs passed to external programs

MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows

Download Page

AppleInsider take a long hard look at Apple’s Bluetooth headset. At $129, one might expect equal performance with headsets 1/3 the price. As is pointed out, there is more to the package thus making the price more palatable. Yet, the 5.5 hours of talk time or 72 hours of standby should be compared to say my Motorola HS850 ($40 at Costco) 8 hours of talk time and 200 hours of stand-by time. More …