--
If you'd like to read Apple's notes about Security Update 2009-001, you can click HERE.
Ahead is a quick analysis of what is covered in the update, along with comments.
This security update is specifically for computers updated to Mac OS X 10.4.11 and 10.5.6, both client and server. Presumably it will be integrated into 10.5.7 when it's available.
There are 28 specific security updates including fixes for 48 documented vulnerabilities, making this another whopper relative to the updates we used to get from Apple a couple years back. I like that. The updates cover some interesting aspects of the Mac OS X Apple have not previously addressed. This indicates to me that over time they are carefully combing through aspects of the OS rather than randomly poking around or only responding as they receive vulnerability reports from third parties.
As ever, there are several buffer overflow patches. Memory management remains one of the banes of contemporary coding. I'm getting the idea that this problem won't go away until we invent an AI that can self-analyze its own computer code. It could happen!
A surprising trend in this update is the patching of security problems introduced specifically in Mac OS X 10.5.6. Ahem Apple. Ahem beta testers.
Cookies: There are a couple repairs for cookie problems introduced into the CFNetwork process in Mac OS X 10.5.6.
Printing: Included is a CUPS update as well as a repair of an error in the csregprinter process that allowed system privileges escalation.
Scripting: There are several patches provided for python and one for perl.
Remote Apple Events: There are a couple buffer overflow / out-of-bounds memory access patches.
SMB: Apple themselves patched a couple buffer problems, which is interesting. It's good to see Apple serious about compatibility with Windows networks.
X11: There are a collection of patches regarding font handling, user privilege plundering and several other vulnerabilites in the X11 server.
JavaScript: Here's another bane of contemporary coding. This time the patch is to Safari's RSS handling of feed URLs.
Mail services: A pair of patches are made to fetchmail and another pair to SquirrelMail.
Video: Yet another problem with maliciously crafted media files. This time a patch is provided for the Pixlet codec.
Other patched services include:
AFP Server
CarbonCore's Resource Manager
Certificate Assistant
CoreText
DS Tools: dscl
Folder Manager
FSEvents framework: fseventsd
Network Time
Server Manager: servermgrd
XTerm
And included is a security updated version of ClamAV for both 10.4 and 10.5 Server.
There were also a few other security related updates released today. Here is a list with links provided to their individual security update description documents:
Safari 3.2.2 for Windows
Java for Mac OS X 10.4 Release 8
Java for Mac OS X 10.5 Update 3
The Java security vulnerabilities that were patched include maliciously written web page Java applets allowing user privilege plundering. These problems weren't in Apple's implementation but in Java itself. SOS: Java was supposed to be as safe as a sandbox. Yeah, a sandbox full of land sharks.
My recommendation for security fanatics, as per recommendations from security expert Steve Gibson: If you don't want to take chances with hacker perpetrated JavaScript and Java, use a browser that lets you turn on support for both protocols on a site by site basis. As with using Little Snitch, it can be a PITA dithering around with little stuff on the net. But the geek in me adjusted such that I use site by site service control all the time. The browser I use for this purpose is OmniWeb. It's the bells and whistles web browser for Mac OS X and is well worth paying for if you like its abundant added features. You can also rig FireFox to handle site by site services as well. Camino and Safari are sadly site specific clueless. I haven't tested other browsers.
BTW: Coming up is my long delayed discussion of Tracking Cookies.
Share and Enjoy!
:-Derek
--
No comments:
Post a Comment