Mac Security: Summary of Apple Security Update 2006-007

Discussion in 'Apple' started by Derek Currie, Nov 30, 2006.

  1. Derek Currie

    Derek Currie Guest

    2006-11-28 Apple released a substantial new security update. Reading
    through the security patches is daunting. The size of the update I
    installed Tuesday was over 45 MB. That's big. But on the other hand I'm
    glad Apple are getting serious about keeping Mac OS X as secure as
    possible. They've been receiving criticism during the last year over
    security vulnerabilities, and they're clearly responding. Hmm. Maybe all
    the FUD has actually been good for something!

    So far I have not heard of any problems installing the update. But of
    course be sure to follow the usual procedure: Repair your permissions
    with Disk Utility, then install, restart, then repair your permissions
    again. Annoying, but it keeps you out of trouble.

    You can read the full length summary of this update at Apple's website:
    <http://docs.info.apple.com/article.html?artnum=304829>

    Rather than subject you to my own long summary of the update I am
    posting here the brief summary from MacInTouch. (Actually I am being
    lazy. This is a really really long update!) Ric Ford's MacInTouch is one
    of the top five essential Mac sites, IMHO. If you find my Mac Security
    posts of any value, please visit the MacInTouch site and make a donation.
    <http://www.macintouch.com/>

    :-Derek
    =================

    From Ric Ford's MacInTouch, 2006-11-29:

    Apple's Security Update 2006-007 patches a substantial collection of
    vulnerabilities in the following versions of the operating system:

    * Mac OS X 10.3.9
    <http://www.apple.com/support/downloads/securityupdate20060071039client.h
    tml>
    * Server 10.3.9
    <http://www.apple.com/support/downloads/securityupdate20060071039server.h
    tml>
    * Mac OS X 10.4.8 PowerPC
    <http://www.apple.com/support/downloads/securityupdate20060071048clientpp
    c.html>
    * Mac OS X 10.4.8 Intel
    <http://www.apple.com/support/downloads/securityupdate20060071048clientin
    tel.html>
    * Server 10.4.8 PowerPC
    <http://www.apple.com/support/downloads/securityupdate20060071048serverpp
    c.html>
    * Server 10.4.8 Universal
    <http://www.apple.com/support/downloads/securityupdate20060071048serverun
    iversal.html>

    AirPort, CVE-2006-5710
    Impact: Attackers on the wireless network may cause arbitrary code
    execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5710>

    ATS, CVE-2006-4396
    Impact: Local users may be able overwrite or create files with system
    privileges
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4396>

    ATS, CVE-2006-4398
    Impact: Local users may be able to run arbitrary code with raised
    privileges
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4398>

    ATS, CVE-2006-4400
    Impact: Viewing maliciously-crafted font files may lead to arbitrary
    code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4400>

    CFNetwork, CVE-2006-4401
    Impact: Visiting FTP URIs may inject arbitrary FTP commands
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4401>

    ClamAV, CVE-2006-4182
    Impact: Processing maliciously-crafted email messages with ClamAV may
    lead to arbitrary code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4182>

    Finder, CVE-2006-4402
    Impact: Browsing a shared directory may lead to an application crash or
    arbitrary code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4402>

    ftpd, CVE-2006-4403
    Impact: When FTP Access is enabled, unauthorized users may determine
    account name validity
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4403>

    gnuzip, CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337,
    CVE-2006-4338
    Impact: Uncompressing a file with gunzip may lead to an application
    crash or arbitrary code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338>

    Installer, CVE-2006-4404
    Impact: When installing software as an Admin user, system privileges may
    be used without explicit authorization
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4404>

    OpenSSL, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339,
    CVE-2006-4343
    Impact: Multiple vulnerabilities in OpenSSL
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343>

    perl, CVE-2005-3962
    Impact: Perl applications with unsafe string handling may be vulnerable
    to arbitrary code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962>

    PHP, CVE-2006-1490, CVE-2006-1990
    Impact: PHP applications may be vulnerable to denial of service or
    arbitrary code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490>
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1990>

    PHP, CVE-2006-5465
    Impact: PHP applications may be vulnerable to arbitrary code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5465>

    PPP, CVE-2006-4406
    Impact: Using PPPoE on an untrusted local network may lead to arbitrary
    code execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4406>

    Samba, CVE-2006-3403
    Impact: When Windows Sharing is enabled, remote attackers may cause a
    denial of service
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403>

    Security Framework, CVE-2006-4407
    Impact: Secure Transport may not negotiate the best cipher available
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4407>

    Security Framework, CVE-2006-4408
    Impact: Processing X.509 certificates may lead to a denial of service
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4408>

    Security Framework, CVE-2006-4409
    Impact: When using an HTTP proxy, certificate revocation lists cannot be
    retrieved
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4409>

    Security Framework, CVE-2006-4410
    Impact: Certain revoked certificates may be erroneously honored
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4410>

    VPN, CVE-2006-4411
    Impact: Malicious local users may gain system privileges
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4411>

    WebKit, CVE-2006-4412
    Impact: Visiting a malicious web site may lead to arbitrary code
    execution
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4412>

    --
    Fortune Magazine, 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975]
     
    Derek Currie, Nov 30, 2006
    #1
    1. Advertisements

  2. Derek Currie

    Nashton Guest

    SPAM alert.

    Have you no shame, Derek? Tsk, tsk.
     
    Nashton, Nov 30, 2006
    #2
    1. Advertisements

  3. Steve de Mena wrote
    Hardly. They waited over 10 years before putting out an update
    to Internet Explorer capable of doing something incredibly
    simple, like handling the .png graphics format properly.

    "months" was an understatement by an order of magnitude or more.
     
    Lefty Bigfoot, Dec 1, 2006
    #3
  4. Steve de Mena wrote
    It wasn't meant to be funny, it's a fact.
     
    Lefty Bigfoot, Dec 1, 2006
    #4
  5. Steve de Mena wrote
    You're wrong. A situation that happens annoyingly often.
     
    Lefty Bigfoot, Dec 1, 2006
    #5
  6. Derek Currie

    Sandman Guest

    That no one but geeks cared about.[/QUOTE]

    Well, there are lots of technical shortcomings in a lot of products
    that only geek *care* about but lots of people are *affected* by.
     
    Sandman, Dec 1, 2006
    #6
  7. Steve de Mena wrote
    I was talking about what you wrote, specifically:

    "That statement about Microsoft waiting months and
    months to post patches is pure fiction. Sorry.

    Steve"

    Furthermore, when something crashes your web browser (and
    calling IE a browser is being generous) it does not impose a
    feeling of security on the user.

    :p
     
    Lefty Bigfoot, Dec 1, 2006
    #7
  8. Since it's in this thread, it seems to me that he was talking about
    security patches. And Microsoft posts security patches on a monthly
    basis -- they even have a name for it, "Patch Tuesday" (because it's
    always the 1st Tuesday of the month).

    Apple doesn't do it as regularly, but they don't need to.
     
    Barry Margolin, Dec 2, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.