On TechRepublic: Weirdest error messages of all time
BNET Business Network:
BNET
TechRepublic
ZDNet

March 18th, 2008

Someone get me rewrite: Apple delivers monster security update for OS X

Posted by Larry Dignan @ 2:08 pm

Categories: Apple, Exploit code, Hackers, Patch Watch, Vulnerability research, Zero-day attacks

Tags: Security, Apple Macintosh, Mac OS X Server, Server, Apple Inc., Apple Mac OS X, Apple Mac OS, Operating Systems, Desktops, Software

Apple delivered a security update for Tiger and Leopard Tuesday with at least 80 patches addressing multiple vulnerabilities.

You know it’s a big patch haul from Apple when you read the advisory and:

  • You’re not sure where to begin;
  • You’re IMing fellow security folks (Ryan Naraine) to count CVE numbers for some clue of how many patches are included.

Depending on who was counting I’ve come up with about 85 CVE numbers, but there are some duplicates in there. Extract those and you still get a tally of roughly 80. The OS X update follows a Safari security update. Looks like Apple is updating its product line today.

Among the highlights:

  • ClamAV (CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728): This fix addresses multiple vulnerabilities in Mac OS X Server v10.5.2. Apple says: “Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution.”
  • CUPS (CVE-2008-0047, CVE-2008-0053, CVE-2008-0882): Apple updated Mac OS X v10.5.2, Mac OS X Server v10.5.2 for “multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges.”
  • Emacs (CVE-2007-5795): This update for Mac OS X v10.5.2 and Mac OS X Server v10.5.2 addresses a vulnerability that allows safe mode checks in Emacs to be bypassed.
  • OpenSSH (CVE-2007-4752): The update for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2 addresses a flaw in OpenSSH that allows a remote attacker “to execute arbitrary code with elevated privileges.”
  • Printing (CVE-2008-0996): Apple updated Mac OS X v10.5.2 and Mac OS X Server v10.5.2 to thwart a print queue issue. Apple says: “An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5.”
  • System Configuration (CVE-2008-0998): The update covers Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The problem: “The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects.”

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 145 Talkback(s)
They are and cert knows it and will not advertise it
It use to be easy to compare exploits using the serach feature at the cert site. but they took that away. was microsoft complaining? Anyway there are no published exploits for OSX. I can't find them. Go try. Its that good.... (Read the rest)
Posted by: ralphrides Posted on: 03/27/08 You are currently: a Guest | | Terms of Use
" *gasp* I thought Macs were secure and superior and invulnerable!"  HypnoToad | 03/18/08
Macs are superior  jorjitop | 03/18/08
of course Mac are superior  Mectron | 03/18/08
LOL!  GuidingLight | 03/18/08
so is the company  fde101 | 03/19/08
because...  magallanes | 03/19/08
LOL  hasta la Vista, bah-bie | 03/19/08
Not second-hand fud...  jmiller1978 | 03/19/08
Never happened to me  hasta la Vista, bah-bie | 03/19/08
fixing the problems when they are discovered  rkostynu@... | 03/19/08
No, they're doing it to avoid a class action lawsuit...  hasta la Vista, bah-bie | 03/19/08
Let me get this straight.....  James Quinn | 03/19/08
I don't think he was trying to defend MS  tikigawd | 03/19/08
I wonder.....  James Quinn | 03/19/08
Only Windows users believe that myth.  frgough | 03/18/08
Look at the post below yours  tikigawd | 03/19/08
Actually there are quite a few that spout that...  socialism=nowhere | 03/19/08
He never said that.  msalzberg | 03/19/08
Actually you are pretty wrong on that...  socialism=nowhere | 03/19/08
pfft  evilkillerwhale@... | 03/19/08
RE: " *gasp* I thought Macs were secure and superior and invulnerable!"  Axsimulate | 03/18/08
Then the point of these patches would be??? (nt)  ye | 03/18/08
RE: Then the point of these patches would be???  Axsimulate | 03/18/08
What makes sure it stays unhacked...  ye | 03/19/08
Simply...  zkiwi | 03/19/08
Perhaps. Which isn't saying much about...  ye | 03/19/08
Oh?  zkiwi | 03/19/08
@ zkiwi: No, it does not.  ye | 03/19/08
RE: What makes sure it stays unhacked...  Axsimulate | 03/19/08
The one without holes.  ye | 03/19/08
Because it takes some level of skill to hack a mac...  Komplex | 03/19/08
No additional skill. UNIX is not a security panacea.  ye | 03/19/08
I'm not sure you can accurately state that  socialism=nowhere | 03/19/08
@zkiwi: You're making a good argument. Unfortunately...  ye | 03/19/08
Uhhmm  philpenn | 03/19/08
Long way to go though. (nt)  ye | 03/19/08
But I thought it was already unhacked, virus and spyware free...  hasta la Vista, bah-bie | 03/19/08
Listening to you gushing fanboys, there shouldn't be a need for 80 patches  ghost6436 | 03/21/08
....  Linux User 147560 | 03/18/08
You must have a different number of digits than...  ye | 03/19/08
However...  zkiwi | 03/19/08
Irrelevant to my point.  ye | 03/19/08
Well...  zkiwi | 03/19/08
That is total conjecture and completely irrelevant.  xuniL_z | 03/19/08
(smacks head) doh...  hasta la Vista, bah-bie | 03/19/08
Fun times...  zkiwi | 03/19/08
correct.  xuniL_z | 03/19/08
Can you say . . . .  derekgore | 03/19/08
Here's some Links to Mac hacks  rkostynu@... | 03/19/08
RE: Here's some Links to Mac hacks  Axsimulate | 03/19/08
And I'm still waiting on why you need 80 patches to begin with  hasta la Vista, bah-bie | 03/19/08
Well...  zkiwi | 03/19/08
No lather, just pointing out the fanboy inconsistency  hasta la Vista, bah-bie | 03/19/08
Really?  zkiwi | 03/21/08
Really  hasta la Vista, bah-bie | 03/22/08
RE: Participants were given local client access to the target computer and  Axsimulate | 03/19/08
If it ain't broke, don't fix it...  hasta la Vista, bah-bie | 03/19/08
OK let's try some of these links  derekgore | 03/19/08
You'll NEVER hear them...  Ethical_Loner | 03/27/08
They are and cert knows it and will not advertise it  ralphrides | 03/27/08
read on  SquishyParts | 03/18/08
Can you point to anyone who actually made such  James Quinn | 03/19/08
No, it's not that., and it's not a......  xuniL_z | 03/20/08
WOW GREAT POST!  An Apple a Day | 03/19/08
If this only gets rid of those insufferable ads  tonymcs@... | 03/18/08
I find them amusing....  James Quinn | 03/19/08
These are more accurate...and a lot funnier.  socialism=nowhere | 03/19/08
Gasp!  ex2bot | 03/18/08
Substitute "safe" for "secure". (nt)  ye | 03/18/08
Security not needed for games and iTunes.  CatsNDogs | 03/18/08
BZZZ! WRONG!  fde101 | 03/19/08
Troll wannabe?  frabjous | 03/19/08
Security not needed for games and iTunes.  No_Gate$ | 03/20/08
That would be wrong.  xuniL_z | 03/20/08
I'm sorry,  nix_hed | 03/21/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  SquishyParts | 03/18/08
Yikes! I'm glad I don't use OS X!!  NonZealot | 03/18/08
Vous vous sentez d?sol? pour moi  zkiwi | 03/19/08
Don't  fde101 | 03/19/08
Don't cry for me NonZ...  James Quinn | 03/19/08
I like how you operate. You don't waste a chance  xuniL_z | 03/20/08
I support Macs.....  James Quinn | 03/20/08
Like I said, you can run it on ANY PC.  xuniL_z | 03/20/08
I agree  An Apple a Day | 03/19/08
Interesting.  msalzberg | 03/19/08
What is also interesting is the mentality behind  James Quinn | 03/19/08
Patching is a good thing!  ShadeTree | 03/19/08
It is bad to assume security.......  James Quinn | 03/19/08
Completely agree.  msalzberg | 03/19/08
Spin  tikigawd | 03/19/08
Again can you point to anywhere where I  James Quinn | 03/19/08
Preemptive patching  tikigawd | 03/19/08
Well for one thing I'm not all that interested in  James Quinn | 03/19/08
Selective reading, on your part.  msalzberg | 03/19/08
Yet...  tikigawd | 03/19/08
An irrelevant response  tikigawd | 03/19/08
@tikigawd...  msalzberg | 03/19/08
msalzberg: Uh yeah...  tikigawd | 03/20/08
@tikigawd.  msalzberg | 03/20/08
Really a twist  jacarter3 | 03/19/08
Looking for meaning in the wrong places  tikigawd | 03/19/08
Disservice  tikigawd | 03/19/08
Needing 2000% more patches than Vista  xuniL_z | 03/19/08
"Yawn" 2000%..... really? You want to stick to that?  James Quinn | 03/19/08
burp....NO. I don't , I meant 2000% more than Vista and XP combined.  xuniL_z | 03/19/08
RE: burp....NO. I don't , I meant 2000% more than Vista and XP combined.  Axsimulate | 03/19/08
"64 bit support" is not the same thing  jshaw4343 | 03/19/08
Dear Axsimilate (x="s") and thank you jshaw4343..  xuniL_z | 03/20/08
Are you using the statistics..  msalzberg | 03/19/08
No I"m not.  xuniL_z | 03/20/08
@xunil_z  msalzberg | 03/20/08
Well, i wouldn't say it means nothing.  xuniL_z | 03/20/08
Don't sweat it...  zkiwi | 03/19/08
Don't sweat it.  xuniL_z | 03/20/08
My opinion on why so many holes are being found  willpd13 | 03/20/08
What's also interesting about fanboys  hasta la Vista, bah-bie | 03/19/08
RE: What's also interesting about fanboys  Axsimulate | 03/20/08
So it becomes an academic exercise  hasta la Vista, bah-bie | 03/20/08
RE: So it becomes an academic exercise  Axsimulate | 03/20/08
It is an academic exercise  hasta la Vista, bah-bie | 03/20/08
There's a BIG difference..  Userama | 03/19/08
Apple is so awesome  tikigawd | 03/19/08
PS....  An Apple a Day | 03/19/08
touche, mon ami! (nt)  tikigawd | 03/19/08
Re: PS....  Boot_Agnostic | 03/21/08
Many thanks for the grammar lesson.  Userama | 03/19/08
It's a proper name  tikigawd | 03/19/08
If it ain't broke, don't fix it...  hasta la Vista, bah-bie | 03/19/08
Not so very different  ShadeTree | 03/19/08
There is a BIG difference  xuniL_z | 03/21/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  AnimeGirls | 03/19/08
"Monster Patch" = Hype  SteveMak | 03/19/08
agreed  pdgilligan | 03/19/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  bentedgz | 03/19/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  phatkat | 03/19/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  Delmar H. Knudson | 03/19/08
Thanks to All of You  aratinga77@... | 03/20/08
Hmmm, by my count the article reported 2...  r_widell | 03/20/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  derekgore | 03/20/08
Or to put it simply  derekgore | 03/20/08
By the windows machines  derekgore | 03/21/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  Disgruntled M$ User | 03/22/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  Chiatzu | 03/22/08
pwn2own  John Musbach | 03/22/08
RE: Someone get me rewrite: Apple delivers monster security update for OS X  jessecarpenterii@... | 03/25/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More