Mac Security: Summary of Apple Security Update 2006-007

Discussion in 'Apple' started by Derek Currie, Nov 30, 2006.

  1. Derek Currie

    Derek Currie Guest

    2006-11-28 Apple released a substantial new security update. Reading
    through the security patches is daunting. The size of the update I
    installed Tuesday was over 45 MB. That's big. But on the other hand I'm
    glad Apple are getting serious about keeping Mac OS X as secure as
    possible. They've been receiving criticism during the last year over
    security vulnerabilities, and they're clearly responding. Hmm. Maybe all
    the FUD has actually been good for something!

    So far I have not heard of any problems installing the update. But of
    course be sure to follow the usual procedure: Repair your permissions
    with Disk Utility, then install, restart, then repair your permissions
    again. Annoying, but it keeps you out of trouble.

    You can read the full length summary of this update at Apple's website:

    Rather than subject you to my own long summary of the update I am
    posting here the brief summary from MacInTouch. (Actually I am being
    lazy. This is a really really long update!) Ric Ford's MacInTouch is one
    of the top five essential Mac sites, IMHO. If you find my Mac Security
    posts of any value, please visit the MacInTouch site and make a donation.


    From Ric Ford's MacInTouch, 2006-11-29:

    Apple's Security Update 2006-007 patches a substantial collection of
    vulnerabilities in the following versions of the operating system:

    * Mac OS X 10.3.9
    * Server 10.3.9
    * Mac OS X 10.4.8 PowerPC
    * Mac OS X 10.4.8 Intel
    * Server 10.4.8 PowerPC
    * Server 10.4.8 Universal

    AirPort, CVE-2006-5710
    Impact: Attackers on the wireless network may cause arbitrary code

    ATS, CVE-2006-4396
    Impact: Local users may be able overwrite or create files with system

    ATS, CVE-2006-4398
    Impact: Local users may be able to run arbitrary code with raised

    ATS, CVE-2006-4400
    Impact: Viewing maliciously-crafted font files may lead to arbitrary
    code execution

    CFNetwork, CVE-2006-4401
    Impact: Visiting FTP URIs may inject arbitrary FTP commands

    ClamAV, CVE-2006-4182
    Impact: Processing maliciously-crafted email messages with ClamAV may
    lead to arbitrary code execution

    Finder, CVE-2006-4402
    Impact: Browsing a shared directory may lead to an application crash or
    arbitrary code execution

    ftpd, CVE-2006-4403
    Impact: When FTP Access is enabled, unauthorized users may determine
    account name validity

    gnuzip, CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337,
    Impact: Uncompressing a file with gunzip may lead to an application
    crash or arbitrary code execution

    Installer, CVE-2006-4404
    Impact: When installing software as an Admin user, system privileges may
    be used without explicit authorization

    OpenSSL, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339,
    Impact: Multiple vulnerabilities in OpenSSL

    perl, CVE-2005-3962
    Impact: Perl applications with unsafe string handling may be vulnerable
    to arbitrary code execution

    PHP, CVE-2006-1490, CVE-2006-1990
    Impact: PHP applications may be vulnerable to denial of service or
    arbitrary code execution

    PHP, CVE-2006-5465
    Impact: PHP applications may be vulnerable to arbitrary code execution

    PPP, CVE-2006-4406
    Impact: Using PPPoE on an untrusted local network may lead to arbitrary
    code execution

    Samba, CVE-2006-3403
    Impact: When Windows Sharing is enabled, remote attackers may cause a
    denial of service

    Security Framework, CVE-2006-4407
    Impact: Secure Transport may not negotiate the best cipher available

    Security Framework, CVE-2006-4408
    Impact: Processing X.509 certificates may lead to a denial of service

    Security Framework, CVE-2006-4409
    Impact: When using an HTTP proxy, certificate revocation lists cannot be

    Security Framework, CVE-2006-4410
    Impact: Certain revoked certificates may be erroneously honored

    VPN, CVE-2006-4411
    Impact: Malicious local users may gain system privileges

    WebKit, CVE-2006-4412
    Impact: Visiting a malicious web site may lead to arbitrary code

    Fortune Magazine, 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975]
    Derek Currie, Nov 30, 2006
    1. Advertisements

  2. Derek Currie

    Nashton Guest

    SPAM alert.

    Have you no shame, Derek? Tsk, tsk.
    Nashton, Nov 30, 2006
    1. Advertisements

  3. Steve de Mena wrote
    Hardly. They waited over 10 years before putting out an update
    to Internet Explorer capable of doing something incredibly
    simple, like handling the .png graphics format properly.

    "months" was an understatement by an order of magnitude or more.
    Lefty Bigfoot, Dec 1, 2006
  4. Steve de Mena wrote
    It wasn't meant to be funny, it's a fact.
    Lefty Bigfoot, Dec 1, 2006
  5. Steve de Mena wrote
    You're wrong. A situation that happens annoyingly often.
    Lefty Bigfoot, Dec 1, 2006
  6. Derek Currie

    Sandman Guest

    That no one but geeks cared about.[/QUOTE]

    Well, there are lots of technical shortcomings in a lot of products
    that only geek *care* about but lots of people are *affected* by.
    Sandman, Dec 1, 2006
  7. Steve de Mena wrote
    I was talking about what you wrote, specifically:

    "That statement about Microsoft waiting months and
    months to post patches is pure fiction. Sorry.


    Furthermore, when something crashes your web browser (and
    calling IE a browser is being generous) it does not impose a
    feeling of security on the user.

    Lefty Bigfoot, Dec 1, 2006
  8. Since it's in this thread, it seems to me that he was talking about
    security patches. And Microsoft posts security patches on a monthly
    basis -- they even have a name for it, "Patch Tuesday" (because it's
    always the 1st Tuesday of the month).

    Apple doesn't do it as regularly, but they don't need to.
    Barry Margolin, Dec 2, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.