Calendar
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
Categories
Browse
All the updates can be accessed via Software Update or by direct download from one download page.
Mac OS X 10.4.11 Update (PPC or Intel; Update or Combo)
Mac OS X Server 10.4.11 Update (Universal or PPC; Update or Combo)
Security Update 2007-008 (10.3.9 Client and Server versions)
Soundtrack Pro 2.0.2
Server Admin Tools 10.4.11
Final Cut Pro 6.0.2
DVD Studio Pro 4.2.1
Motion 3.0.2
Color 1.0.2
Cinema Tools 4.0.1
Compressor 3.0.2
Pro Applications Update 2007-02
iPhoto 7.1.1
Intego warns of a trojan horse Named “OSX.RSPlugin”, that infects Macs and it is in the wild. While it is thought to be introduced by clicking to watch a porn site’s video, it can be modified to come from any malicious Web site in a similar fashion.
The trojan horse is a form of DNSChanger, it changes your computer’s DNS server to go to sites selected by the attacker, via the scutil command, The malicious DNS server your redirects your normal IP address to maybe phishing sites such as Ebay and PayPal, and not what is typed into your Web browser’s address field.
How does it get installed? If you click on a supposed movie link, you are redirected to a web page displaying:
From here on everything seems normal, after the new page loads, a disk image automatically downloads and it is does not auto mount, you likely will open it yourself. The new QuickTime codec will then be installed by double-clicking. It is now too late
It also has a cron file that runs every so often to reinstate the bogus DNS addresses should they be found and changed. Going to a financial-related Web site could lead to disaster. More …
More than a year ago, there was a great disturbance in the force, as it was announced that one could easily take control of a Mac. Then the story unraveled, when it was reported that local access was necessary. When David Maynor disclosed the attack, he was severally chastised in the Mac media. As Apple patched the vulnerability last September,. ComputerWorld correctly asks, “so why publish the Mac hack now?” More …
PC’s require considerable security tools to address the threat from phishing, data loss, and other cyber vulnerabilities. The net effect of that security at work is that my doorstop takes forever to do anything. In the home, this lack of performance must discourage proper security. iTnews covers a speech by McAfee CEO David DeWalt, at the InformationWeek 500 conference in Tucson. More …
SeaMonkey 1.1.4, Mozilla’s integrated Web suite provides these security fixes over v1.1.3:
* MFSA 2007-27 Unescaped URIs passed to external programs
* MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
* MFSA 2007-23 Remote code execution by launching SeaMonkey from Internet Explorer
The rough changelog provides these changes over v1.1.3, including the security fixes:
* 388121 about:blank loaded by chrome in particular ways has chrome privileges
* 389106 we may not escape quotes everywhere
* 389580 some schemes with %00 launch unexpected handlers on windows
* 389257 Cross-application scripting vulnerability in SeaMonkey
ChannelWeb reports on the Black Hat Briefings conference In spite of Apple’s Security update, Charles Miller did a presentation at the Black Hat Briefings. He even demonstrated the iPhone Safari vulnerability that existed prior to the iPhone update. What was a bit shocking was his analysis of Apple’s security practices. Here are some snippets:
Miller listed a number of what he considers to be specific bad development practices on Apple’s part, the most egregious of which is Apple’s regular inclusion in the OS X platform of older, outdated versions of open source code, much of which has known security bugs.
“Here’s my formula for finding a zero-day [vulnerability] on a Mac; here’s what you do,” said Miller in his presentation. “First, find an open source package that they use that’s out of date — there’s plenty of those. Read through the changelog for the current version of that software, find a usable bug that’s been fixed in the newer versions. And you’re done. You don’t have to worry about static analysis or fuzzing or any of that stuff.” More …
After the announcement that there would be a non-disclosure of a worm that targets the vulnerability in Mac OS X’s mDNSResponder may have caused Apple to completely disable mDNSResponder with the recently released Security Update 2007-007. Berkerming surmises the possibiltiy that this gives Apple opportunity to correctly address the problem. More …
This is recommended for all users and improves the security of the following components:
bzip2
CFNetwork
Core Audio
cscope
gnuzip
Kerberos
mDNSResponder
PDFKit
PHP
Quartz Composer
samba
WebKit
WebCore
Security Update 2007-006 has been incorporated into this security update.
For detailed information on this update, please visit this website.
This security update includes Samba patches for alert CVE-ID: CVE-2007-2446, CVE-ID: CVE-2007-2447 and CVE-ID: CVE-2007-2407, as well of patches for other components.
ComputerWorld responded to my comment that Apple has patched Samba.
Here is their reply:
Although you are correct in pointing out that an Apple-specific Samba module was patched in the 2007-003 security update (and in the associated update to 10.4.9), none of the flaws patched by Samba in mid-May correspond to this single heap buffer overflow fixed in March by Apple.
Symantec, as the story mentions, has verified that the Samba vulnerabilities exist in a fully-patched 10.4.10 edition, in other words post 2007-003.
Also, credit to the 5/14 heap buffer overflow flaws in Samba (there are four all told) goes to Tipping Point’s Zero-Day Initiative bug bounty program, while the one in 2007-003 went to someone at New Zealand’s Massey University.
Check out the Samba release notes, specifically the reference to CVE-2007-2446, which covers the four buffer overflow bugs; and CVE-2007-2446.
In particular, the overflow vulnerabilty that RISE exploit is the one
detailed by ISS’ X-Force.
Best,
Gregg Keizer, ComputerWorld
Business Line, the web blog of India’s Business Daily, recognizes the iPhone as a computer, or nearly one. They report that most security experts agree that Apple made the right decision not to release an iPhone Software Development Kit. This makes it decidedly more difficult to compromise. As pointed out, except for the claim by Independent Security Evaluators, no-gooders must deal directly with the user, by way of malicious web pages or phishing email. More …
Editor: I was just explaining to a friend how to set the ring sound. Just go into “Settings” (Preferences) and access “Sounds”, just like a Mac. Ok, a little different, but it is like a Mac.
