updated 04:45 pm EDT, Wed August 9, 2006
Mac Pro security update
Apple has released a security update for its new professional Mac Pro systems, which debuted on August 7th at the World Wide Developers Conference in San Francisco. Security Update 2006-004 for Mac Pro includes all of the fixes featured in a previous security update released on August 1st, along with two vulnerability fixes relating to ImageIO and OpenSSH. The fixes for those issues were not fully tested in time for the manufacturing of the Mac Pro, according to Apple, and are provided via the new security update. "This update is a proper subset of the full Security Update 2006-004 released on August 1st. Existing systems that have already applied Security Update 2006-004 (August 1st release) do not need to install this update." Fixes pertain only to systems running Mac OS X 10.4.7 Build 8K1079 or Mac OS X Server 10.4.7 Build 8K1079.
Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. The update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X 10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Apple offers credit to Tavis Ormandy and the Google Security Team for reporting the issue.
Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. The update addresses the issue by properly handling attempted logins by nonexistent users. The issue does not affect systems prior to Mac OS X 10.4. Apple offers credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting the issue.