AAPL Stock: 109.5 ( -1.28 )

Printed from

Apple issues Mac Pro security update

updated 04:45 pm EDT, Wed August 9, 2006

Mac Pro security update

Apple has released a security update for its new professional Mac Pro systems, which debuted on August 7th at the World Wide Developers Conference in San Francisco. Security Update 2006-004 for Mac Pro includes all of the fixes featured in a previous security update released on August 1st, along with two vulnerability fixes relating to ImageIO and OpenSSH. The fixes for those issues were not fully tested in time for the manufacturing of the Mac Pro, according to Apple, and are provided via the new security update. "This update is a proper subset of the full Security Update 2006-004 released on August 1st. Existing systems that have already applied Security Update 2006-004 (August 1st release) do not need to install this update." Fixes pertain only to systems running Mac OS X 10.4.7 Build 8K1079 or Mac OS X Server 10.4.7 Build 8K1079.


Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. The update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X 10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Apple offers credit to Tavis Ormandy and the Google Security Team for reporting the issue.


Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. The update addresses the issue by properly handling attempted logins by nonexistent users. The issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting the issue.

by MacNN Staff




  1. lockhartt

    Joined: Dec 1969



    Apple's detailing security issues and formally acknowledging discovering/reporting parties?

    This seems like a welcome change to me.

  1. Luke MacWalker

    Joined: Dec 1969


    re: wow...

    Apple has been given this kind of "details" for a while in the descriptions of the security updates, on their website. Nothing new here.

  1. e:leaf

    Joined: Dec 1969


    re: re: wow

    Apple has never been transparent about their security updates. Not even close. The explanations which accompany each update have always been vague to the point of obscurity for most users.

    I agree with lockhartt. This is a welcome change.

  1. ZinkDifferent

    Joined: Dec 1969


    welcome change...

    You may both consider it a welcome change, but Apple has been providing this kind of information (details on expoits fixed, and crediting the parties responsible) for quite a while (at least going back 6 months, if not longer)

  1. zulfikarn

    Joined: Dec 1969



    Yes, I wish they gave more detail, as well as like say example code, now that would really be interesting

  1. gfer

    Joined: Dec 1969


    No changes

    Apple always publish the CVE or CAN reference code. Search for more details in US-CERT, or the National Vulnerability Database.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented