On TV.com: Why Is Everyone in TV High School SO OLD

BNET Business Network:: BNET; TechRepublic; ZDNet

Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

May 24th, 2007

Apple patch batch fixes 17 Mac OS X vulnerabilities

Posted by Ryan Naraine @ 1:51 pm

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Hackers, Metasploit, Open source, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Apple Mac OS, Apple Macintosh, Attacker, Adobe PDF, Vulnerability, Apple Inc., Apple Mac OS X, Ryan Naraine

Apple has shipped a Mac OS X update with patches for a total of 17 potentially serious security vulnerabilities. Mac OS X Security

The latest mega update is the fifth from Apple this year and brings the patch total for 2007 up to 109.

With Security Update 2007-005, Apple is fixing a host of denial-of-service and arbitrary code execution issues affecting several built-in Mac OS X components.

One of the more serious vulnerabilities, in CoreGraphics, could allow an attacker to use a rigged PDF file to launch code execution attacks. This is caused by an integer overflow vulnerability in the way PDF files are handled.

“By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution,” Apple warned in an advisory.

iChat Another potentially serious buffer overflow was also identified in UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat.

“By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution,” Apple said.

Four different denial-of-service issues in BIND are also addressed along with holes in Alias Manager, fetchmail, file (code execution possible), mDNSResponder, PPP, ruby, screen, texinfo and VPN.

[UPDATE: May 25, 2007 @ 11:21 am] Immunity has released exploit code for the mDNSResponder (Bonjour) vulnerability, which brings code execution risks.

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Talkback
Most Recent of 149 Talkback(s)

Thread View
Flat View

$600 Cdn. for osx's version of REMOTE DESKTOP...: ...that's FREE with xppro. (Read the rest); Posted by: Feldwebel Wolfenstool Posted on: 09/06/07 You are currently: a Guest | Log in | Terms of Use

That's OK John Zern | 05/24/07

Wow, Apple developers are impressive! NonZealot | 05/24/07

Guess so....can you "PROVE" it other wise? Laff | 05/25/07

The odds are against it. ye | 05/25/07

Granted but that is not proof nor fact. Laff | 05/25/07

So? Kama-sama | 05/27/07

In most cases almost all I do not choose to believe at all. Laff | 05/28/07

actually its probably true... doh123 | 05/26/07

Wow, OSX is SO secure!! NonZealot | 05/24/07

Seriously.... IAHawkeye | 05/24/07

Mac flaws start to surface Mectron | 05/24/07

Overcharge? Fred Fredrickson | 05/24/07

A very typical Mac user response xuniL_z | 05/25/07

So... zkiwi | 05/25/07

So..... xuniL_z | 05/26/07

I think you need zkiwi | 05/28/07

You forgot the part where part of the price is shunted John Zern | 05/25/07

See with open eyes Kama-sama | 05/27/07

$600 Cdn. for osx's version of REMOTE DESKTOP... Feldwebel Wolfenstool | 09/06/07

Heeheheh IAHawkeye | 05/24/07

Neither are your "opinions" fr0thy2. | 05/25/07

Can't help it if i'm right... IAHawkeye | 05/25/07

Sorry to hear that Kama-sama | 05/27/07

Off the meds again are we? Laff | 05/25/07

There's flaws and then there's flaws. Resuna | 05/25/07

What a concept Chiatzu | 05/25/07

Actually he's right...read prior posts fr0thy2. | 05/25/07

PDF is the native Mac OS X graphic element Ponce? | 05/24/07

What a stupid thing to do!! NonZealot | 05/24/07

Microsoft Did the same with Explorer Ponce? | 05/24/07

That's his point... wolf_z | 05/25/07

There is a fundamental difference frgough | 05/25/07

Except you are wrong NonZealot | 05/25/07

Wow! zkiwi | 05/25/07

Poor zkiwi NonZealot | 05/25/07

So... zkiwi | 05/25/07

What does that have to do with the findings? xuniL_z | 05/26/07

Response to the Poor Zealot. msalzberg | 05/26/07

Speaking of being Wrong. xuniL_z | 05/26/07

Zealot claimed... msalzberg | 05/26/07

Not how I read it. xuniL_z | 05/26/07

xuniL_z, as is typical... msalzberg | 05/26/07

The DoJ did not zkiwi | 05/26/07

One more time. xuniL_z | 05/27/07

Zkiwi xuniL_z | 05/27/07

Reading zkiwi | 05/27/07

xuniL_z: thanks NonZealot | 05/27/07

well xuniL_z | 05/27/07

Exactly... fr0thy2. | 05/25/07

you do not understand doh123 | 05/26/07

I understand perfectly! NonZealot | 05/26/07

if it makes you feel more secure A.Lizard | 05/26/07

Good For Apple. IAHawkeye | 05/24/07

Actively working on security? NonZealot | 05/24/07

It's truly pathetic.. msalzberg | 05/24/07

Ditto IAHawkeye | 05/24/07

What? rapson | 05/25/07

But when you buy OSX.. msalzberg | 05/25/07

EXCELLENT POINT!!!! Laff | 05/25/07

I think the difference is... Badgered | 05/25/07

As long as you like your collar!! NonZealot | 05/25/07

Non..what jail? Laff | 05/25/07

Not really... fr0thy2. | 05/25/07

No. frgough | 05/25/07

No, that's not what I'm saying. msalzberg | 05/25/07

You actually think? Rick_K | 05/25/07

Yes and No John Zern | 05/25/07

not true... doh123 | 05/26/07

Let's test your assertion wolf_z | 05/25/07

While I don't care for 1GBit Ethernet, B600 wins over for me. Grayson Peddie | 05/25/07

Both products aimed for differnet markets/people/choices Laff | 05/25/07

Not sure I understand the last comment... fr0thy2. | 05/25/07

It's all about your personal preference.... Laff | 05/25/07

What do you need to add? msalzberg | 05/25/07

As Harry Bardal would say frgough | 05/25/07

You sound as dumb as Harry when he says it NonZealot | 05/25/07

Try comparing computers... msalzberg | 05/25/07

Excellent post! NonZealot | 05/25/07

Again you're clueless Rick_K | 05/25/07

You can't be this clueless, can you? NonZealot | 05/25/07

Don't try to confuse the Zealot.. msalzberg | 05/26/07

Funny... msalzberg | 05/25/07

Why? wolf_z | 05/25/07

Ooops. messed up the math wolf_z | 05/25/07

But how would Apple make money? NonZealot | 05/25/07

and... doh123 | 05/26/07

you miss a lot of facts there.... doh123 | 05/26/07

You have an odd definition of crappy... wolf_z | 05/28/07

Don't you feel stupid? TonyMcS | 05/24/07

grow up SquishyParts | 05/24/07

WIth a statement like that I think you need to check... fr0thy2. | 05/25/07

Me too NonZealot | 05/25/07

addendum NonZealot | 05/25/07

I've gotten one virus.. msalzberg | 05/25/07

Annoying I find them funny myself but I guess it takes all kinds:) Laff | 05/25/07

When OS X gets the same number of users... fr0thy2. | 05/25/07

And you KNOW this for a fact how? Laff | 05/25/07

The ads are gross misadvertising. Apple also sold computers by hyping up HypnoToad72 | 05/25/07

not 99% doh123 | 05/26/07

Yeah, 70% sounds right NonZealot | 05/26/07

You don't even use a Mac SquishyParts | 05/24/07

A hacked Mac is like... Sporeman | 05/24/07

Then the Loch Ness has been found NonZealot | 05/24/07

LOL Sporeman | 05/24/07

Well Non your response please? Laff | 05/25/07

Did you actually read both of those...I don't think so. fr0thy2. | 05/25/07

Now THAT is funny.... rtk | 05/26/07

You do realize that... msalzberg | 05/25/07

Then way does Apple create GuidingLight | 05/28/07

I never claimed.. msalzberg | 05/28/07

MAC SECURITY? Feldwebel Wolfenstool | 05/28/07

So interesting story leaves out a few details like HOW Laff | 05/28/07

YA.... Feldwebel Wolfenstool | 09/06/07

Dork Sporeman | 05/24/07

Do you know anything about Windows? NonZealot | 05/24/07

Ok, I'll fall for it again, one more time.... IAHawkeye | 05/24/07

Are you thinking of Windows 9x? PB_z | 05/25/07

Ah Hem,.....Cough,.... IAHawkeye | 05/25/07

I guess HS is out for you now... fr0thy2. | 05/25/07

Sorry, I couldn't resist... Badgered | 05/25/07

LOL- Good Point...touch type...no spell Check fr0thy2. | 05/25/07

How me right? IAHawkeye | 05/25/07

Actually, I am a Windows developer Sporeman | 05/24/07

Sure. toadlife | 05/24/07

Most Windows users have no idea... Sporeman | 05/25/07

And it's obvious neither do you. ye | 05/25/07

So Windows is secure... msalzberg | 05/25/07

"Ouch"... being a Window's fanboy MacCanuck | 05/25/07

Dork? daMan25 | 05/25/07

Mac Vulnerable? daMan25 | 05/25/07

?r Apple is finding them as well? Laff | 05/25/07

The only ones frgough | 05/25/07

Nice post NonZealot | 05/25/07

Ton's I knew of a few and they were primarily aimed Laff | 05/25/07

Well... zkiwi | 05/25/07

All OSes are bad, Fugedaboudit Narg | 05/25/07

I agree John Zern | 05/25/07

17? Rick_K | 05/25/07

Then you admit that Apple is dishonest NonZealot | 05/25/07

It looks like he's is using the new iMath John Zern | 05/25/07

Count, not "can't" John Zern | 05/25/07

It's just possible zkiwi | 05/25/07

If you dig a little deeper... 3D0G | 05/25/07

Extremely pleased with my Mac dks_z | 05/25/07

Actually, they emulate each other John Zern | 05/25/07

It's important to remember... msalzberg | 05/26/07

Correct xuniL_z | 05/26/07

Let's stop the Mac bashing Boot_Agnostic | 05/28/07

Uhm... xxn1927 | 06/11/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now

Recent Entries

Blogs From Our Sponsors

Top Rated

Facebook password-reset spam is Bredolab botnet attack+46 votes
Thousands of web sites compromised, redirect to scareware+43 votes
Microsoft confirms 'detailed' Windows 7 exploit+43 votes
Firefox hit by multiple drive-by download flaws+41 votes
Which antivirus is best at removing malware?+39 votes
iHacked: jailbroken iPhones compromised, $5 ransom demanded+32 votes
New LoroBot ransomware encrypts files, demands $100 for decryption+28 votes
Mac OS X mega patch covers 58 security vulnerabilities+26 votes

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Archives

Favorite Links

41

ZDNet Blogs

White Papers, Webcasts, and Downloads

The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now

Popular Sanity Saver Videos

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More