toggle

AAPL Stock: 113.02 ( + 1.24 )

Printed from http://www.macnn.com

Apple issues Mac Pro security update

updated 04:45 pm EDT, Wed August 9, 2006

Mac Pro security update

Apple has released a security update for its new professional Mac Pro systems, which debuted on August 7th at the World Wide Developers Conference in San Francisco. Security Update 2006-004 for Mac Pro includes all of the fixes featured in a previous security update released on August 1st, along with two vulnerability fixes relating to ImageIO and OpenSSH. The fixes for those issues were not fully tested in time for the manufacturing of the Mac Pro, according to Apple, and are provided via the new security update. "This update is a proper subset of the full Security Update 2006-004 released on August 1st. Existing systems that have already applied Security Update 2006-004 (August 1st release) do not need to install this update." Fixes pertain only to systems running Mac OS X 10.4.7 Build 8K1079 or Mac OS X Server 10.4.7 Build 8K1079.

ImageIO

Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. The update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X 10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Apple offers credit to Tavis Ormandy and the Google Security Team for reporting the issue.

OpenSSH

Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. The update addresses the issue by properly handling attempted logins by nonexistent users. The issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting the issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. lockhartt

    Joined: Dec 1969

    0

    wow...

    Apple's detailing security issues and formally acknowledging discovering/reporting parties?

    This seems like a welcome change to me.

  1. Luke MacWalker

    Joined: Dec 1969

    0

    re: wow...

    Apple has been given this kind of "details" for a while in the descriptions of the security updates, on their website. Nothing new here.

  1. e:leaf

    Joined: Dec 1969

    0

    re: re: wow

    Apple has never been transparent about their security updates. Not even close. The explanations which accompany each update have always been vague to the point of obscurity for most users.

    I agree with lockhartt. This is a welcome change.

  1. ZinkDifferent

    Joined: Dec 1969

    0

    welcome change...

    You may both consider it a welcome change, but Apple has been providing this kind of information (details on expoits fixed, and crediting the parties responsible) for quite a while (at least going back 6 months, if not longer)

  1. zulfikarn

    Joined: Dec 1969

    0

    wowee

    Yes, I wish they gave more detail, as well as like say example code, now that would really be interesting

  1. gfer

    Joined: Dec 1969

    0

    No changes

    Apple always publish the CVE or CAN reference code. Search for more details in US-CERT, cve.mitre.org or the National Vulnerability Database.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented