Mac Security: Summary of Apple Security Update 2006-007

2006-11-28 Apple released a substantial new security update. Reading
through the security patches is daunting. The size of the update I
installed Tuesday was over 45 MB. That's big. But on the other hand I'm
glad Apple are getting serious about keeping Mac OS X as secure as
possible. They've been receiving criticism during the last year over
security vulnerabilities, and they're clearly responding. Hmm. Maybe all
the FUD has actually been good for something!

So far I have not heard of any problems installing the update. But of
course be sure to follow the usual procedure: Repair your permissions
with Disk Utility, then install, restart, then repair your permissions
again. Annoying, but it keeps you out of trouble.

You can read the full length summary of this update at Apple's website:
<http://docs.info.apple.com/article.html?artnum=304829>

Rather than subject you to my own long summary of the update I am
posting here the brief summary from MacInTouch. (Actually I am being
lazy. This is a really really long update!) Ric Ford's MacInTouch is one
of the top five essential Mac sites, IMHO. If you find my Mac Security
posts of any value, please visit the MacInTouch site and make a donation.
<http://www.macintouch.com/>

:-Derek
=================

From Ric Ford's MacInTouch, 2006-11-29:

Apple's Security Update 2006-007 patches a substantial collection of
vulnerabilities in the following versions of the operating system:

* Mac OS X 10.3.9
<http://www.apple.com/support/downloads/securityupdate20060071039client.h
tml>
* Server 10.3.9
<http://www.apple.com/support/downloads/securityupdate20060071039server.h
tml>
* Mac OS X 10.4.8 PowerPC
<http://www.apple.com/support/downloads/securityupdate20060071048clientpp
c.html>
* Mac OS X 10.4.8 Intel
<http://www.apple.com/support/downloads/securityupdate20060071048clientin
tel.html>
* Server 10.4.8 PowerPC
<http://www.apple.com/support/downloads/securityupdate20060071048serverpp
c.html>
* Server 10.4.8 Universal
<http://www.apple.com/support/downloads/securityupdate20060071048serverun
iversal.html>

AirPort, CVE-2006-5710
Impact: Attackers on the wireless network may cause arbitrary code
execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5710>

ATS, CVE-2006-4396
Impact: Local users may be able overwrite or create files with system
privileges
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4396>

ATS, CVE-2006-4398
Impact: Local users may be able to run arbitrary code with raised
privileges
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4398>

ATS, CVE-2006-4400
Impact: Viewing maliciously-crafted font files may lead to arbitrary
code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4400>

CFNetwork, CVE-2006-4401
Impact: Visiting FTP URIs may inject arbitrary FTP commands
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4401>

ClamAV, CVE-2006-4182
Impact: Processing maliciously-crafted email messages with ClamAV may
lead to arbitrary code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4182>

Finder, CVE-2006-4402
Impact: Browsing a shared directory may lead to an application crash or
arbitrary code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4402>

ftpd, CVE-2006-4403
Impact: When FTP Access is enabled, unauthorized users may determine
account name validity
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4403>

gnuzip, CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337,
CVE-2006-4338
Impact: Uncompressing a file with gunzip may lead to an application
crash or arbitrary code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338>

Installer, CVE-2006-4404
Impact: When installing software as an Admin user, system privileges may
be used without explicit authorization
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4404>

OpenSSL, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339,
CVE-2006-4343
Impact: Multiple vulnerabilities in OpenSSL
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343>

perl, CVE-2005-3962
Impact: Perl applications with unsafe string handling may be vulnerable
to arbitrary code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962>

PHP, CVE-2006-1490, CVE-2006-1990
Impact: PHP applications may be vulnerable to denial of service or
arbitrary code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1990>

PHP, CVE-2006-5465
Impact: PHP applications may be vulnerable to arbitrary code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5465>

PPP, CVE-2006-4406
Impact: Using PPPoE on an untrusted local network may lead to arbitrary
code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4406>

Samba, CVE-2006-3403
Impact: When Windows Sharing is enabled, remote attackers may cause a
denial of service
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403>

Security Framework, CVE-2006-4407
Impact: Secure Transport may not negotiate the best cipher available
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4407>

Security Framework, CVE-2006-4408
Impact: Processing X.509 certificates may lead to a denial of service
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4408>

Security Framework, CVE-2006-4409
Impact: When using an HTTP proxy, certificate revocation lists cannot be
retrieved
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4409>

Security Framework, CVE-2006-4410
Impact: Certain revoked certificates may be erroneously honored
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4410>

VPN, CVE-2006-4411
Impact: Malicious local users may gain system privileges
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4411>

WebKit, CVE-2006-4412
Impact: Visiting a malicious web site may lead to arbitrary code
execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4412>

--
Fortune Magazine, 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975]

 

SPAM alert.

Have you no shame, Derek? Tsk, tsk.

 

Steve de Mena wrote

Hardly. They waited over 10 years before putting out an update
to Internet Explorer capable of doing something incredibly
simple, like handling the .png graphics format properly.

"months" was an understatement by an order of magnitude or more.

 

Steve de Mena wrote

It wasn't meant to be funny, it's a fact.

 

Steve de Mena wrote

You're wrong. A situation that happens annoyingly often.

 

That no one but geeks cared about.[/QUOTE]

Well, there are lots of technical shortcomings in a lot of products
that only geek *care* about but lots of people are *affected* by.

 

Steve de Mena wrote

I was talking about what you wrote, specifically:

"That statement about Microsoft waiting months and
months to post patches is pure fiction. Sorry.

Steve"

Furthermore, when something crashes your web browser (and
calling IE a browser is being generous) it does not impose a
feeling of security on the user.

 

Since it's in this thread, it seems to me that he was talking about
security patches. And Microsoft posts security patches on a monthly
basis -- they even have a name for it, "Patch Tuesday" (because it's
always the 1st Tuesday of the month).

Apple doesn't do it as regularly, but they don't need to.