Network News

X My Profile
View More Activity

Apple Plugs 44 Security Holes

Apple released updates to fix at least 44 different security vulnerabilities in its software for Mac OS X and Windows. Forty of the flaws reside in OS X itself, while the rest are specific to Apple's version of the Safari Web browser built for Windows.

All of the OS X-specific flaws addressed in the patch bundle were for OS X 10.4 (Tiger) and earlier. There don't appear to be any updates pushed out for Leopard, Apple's most recent version of its operating system.

Also among the fixes is a patch to plug a security hole in Apple's version of the Adobe Flash Player, a vulnerability that Adobe issued its own update to fix back in July.

Apple users who have Software Updates set to automatically check for updates should be prompted to install the fixes sometime over the next few days. The update bundle should also be available at Apple Downloads.

Windows users of Safari 3 Beta can update through the bundled Apple Software Update application, or by grabbing the latest version at Apple Downloads.

Update, 2:07 p.m. ET: Make that 47 vulnerabilities. Apple just this afternoon released a trio of updates for Leopard users (OS X 10.5.1). The patches are designed to tighten up security around Leopard's built-in firewall. The details on these three firewall patches are pretty interesting, but they're not yet up on Apple's site. So, I have posted them in this entry. Click on the "Continue Reading" link below to see them.

Application Firewall
CVE-ID: CVE-2007-4702
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: The "Block all incoming connections" setting for the
firewall is misleading
Description: The "Block all incoming connections" setting for the
Application Firewall allows any process running as user "root" (UID
0) to receive incoming connections, and also allows mDNSResponder to
receive connections. This could result in the unexpected exposure of
network services. This update addresses the issue by more accurately
describing the option as "Allow only essential services", and by
limiting the processes permitted to receive incoming connections
under this setting to a small fixed set of system services: configd
(for DHCP and other network configuration protocols), mDNSResponder
(for Bonjour), and racoon (for IPSec). The "Help" content for the
Application Firewall is also updated to provide further information.
This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall
CVE-ID: CVE-2007-4703
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Processes running as user "root" (UID 0) cannot be blocked
when the firewall is set to "Set access for specific services and
applications"
Description: The "Set access for specific services and applications"
setting for the Application Firewall allows any process running as
user "root" (UID 0) to receive incoming connections, even if its
executable is specifically added to the list of programs and its
entry in the list is marked as "Block incoming connections". This
could result in the unexpected exposure of network services. This
update corrects the issue so that any executable so marked is
blocked. This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall
CVE-ID: CVE-2007-4704
Available for: Mac OS X v10.5, Mac OS X Server v10.5
Impact: Changes to Application Firewall settings do not affect
processes started by launchd until they are restarted
Description: When the Application Firewall settings are changed, a
running process started by launchd will not be affected until it is
restarted. A user might expect changes to take effect immediately and
so leave their system exposed to network access. This update corrects
the issue so that changes take effect immediately. This issue does
not affect systems prior to Mac OS X v10.5.

By Brian Krebs  |  November 15, 2007; 10:15 AM ET
Categories:  New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ZoneAlarm Anti-Spyware Free for Today
Next: A Fresh Round of Targeted E-mail Attacks

Comments

According to macrumors.com and ThinkSecret:

-- snip --
Mac OS X 10.5.1 has been undergoing testing by developers over the past two weeks, and ThinkSecret claims that it has been finalized at build 9B18. The last build made available to developers was 9B16 and was released seeded earlier this week. There were no known issues at that time.

The update is expected to simply provide stability, compatibility, and security improvements for Leopard.
-- snip --

So expect an update within a few weeks, most likely. As with all new OS's released wide public, upgrades to the initial release are expected and routine. On a personal note, my iMac upgrade from Tiger to Leopard was painless and without issue as many would also attest.

-Jim

Posted by: Jim Goldbloom | November 15, 2007 11:15 AM | Report abuse

Thanks, Jim. Are you really Jeff? I like Jeff. Jeff seems like the kinda fella who'd use a Mac...

Posted by: c0nd3mn3d | November 15, 2007 11:28 AM | Report abuse

You must be thinking of Jeff Goldblum (actor, The Fly, Jurrassic Park, etc.) - note the spelling, but I wish I was his agent, though. Yes, he does look the type. But so do many of your friends and now grandma and also your neighbor across the street, among countless other normal folks who realize the value and are making the switch. You're next! ;-)

Posted by: Jim Goldbloom | November 15, 2007 11:40 AM | Report abuse

Jeff Goldblum used to narrate Apple commercials. I smell a PR plant.

Posted by: Logan Circle | November 15, 2007 12:11 PM | Report abuse

OMG! Get a PC!!!!

/sarc - sorry couldn't resist!

Posted by: PC Fanboy | November 15, 2007 3:56 PM | Report abuse

Does anyone know of software comparable to Dragon Naturally Speaking that runs on a Mac? How well does it work? I would appreciate any help anyone could give me.
Thank you.

Posted by: rb-freedom-for-all | November 15, 2007 4:05 PM | Report abuse

RE: Dragon Naturally Speaking for Mac

Look into IBM Via Voice which works on OS X and seems to have similar features. Visit www.nuance.com/viavoice/osx/ for details or Google "Via Voice Mac".

Posted by: Jim Goldbloom | November 16, 2007 2:28 PM | Report abuse

There is also iListen from MacSpeech (http://www.macspeech.com). ViaVoice is no longer being developed, supported or updated for Mac OS X and older versions will not work on 10.4 or 10.5.

Posted by: James | November 17, 2007 12:44 AM | Report abuse

The list of those '44' ('47') security updates goes back almost three years to January 2005. If you click through you see recent security updates along the lines of iPod, iTouch with 4; Safari 3 Beta with 10; the new Leo with 3; and old Tygar with a walloping 41. That's my cursory count at any rate.

Posted by: Rick | November 17, 2007 5:55 AM | Report abuse

10.5 wasn't ready for prime time when they released it.

lots of small bugs and it's destabilized some of my apps


Posted by: pat | November 17, 2007 10:15 PM | Report abuse

The Death of 3rd Party Security Vultures and Such!
McAfee Inc., Trend Micro Inc., CA Inc. and especially Symantec, ... say goodnight! We are about to announce MS ForeFront 2.0!
Let me make it clear that while I have tolerated these "anti-virus" vendors for years, something about their very existence has not set very well with me. I mean, having a bunch of multi-million dollar companies that depend solely on there being bugs, leaks, holes, exploitables, mistakes, oversights and problems in Windows dosen't speak very well of Microsoft. They are like carrion, buzzards, jackels, ... protecting a rotten carcass from other smaller vermin. They always argue, "But, Bu-bu-but you need us!", maybe that was true in the past, but no longer!

VISTA IS BULLETPROOF!

None of these quacks bag of tricks are any longer necessary!
Between WGA and Forefront the OS and Genuine MS apps are totally impervious to attack! They are so secure that many times even the registered owners have trouble gaining access to the computer! So then how could any hacker?

These vultures will kick, choke and whine as the user-base realizes this truth, but I say good riddance, your success reflected badly on us anyway.

Posted by: Steve Ballmer | November 18, 2007 2:08 AM | Report abuse

Hey Windows faithful!
You should taste this APPLE flavored kool-aid...it sure is refreshing, and it always pours into the glass without spilling! You ACTUALLY get to DRINK it instead of always having to wipe it up!

Posted by: Mark Arcusa | November 18, 2007 8:34 AM | Report abuse

I forgot:
My book will be coming out next spring:
"THE MONKEY-BOY CONSPIRACY!"
http://fakesteveballmer.blogspot.com

Posted by: steve ballmer | November 19, 2007 8:08 AM | Report abuse

Mark Arcusa> You ACTUALLY get to DRINK it instead of always having to wipe it up!

Yeah? And then what happens? ;^)

Posted by: antibozo | November 19, 2007 8:13 PM | Report abuse

Post staff: please, again, clean up the phony "Steve Ballmer" posts above, and kindly ban him while you're at it. Whoever he is, he refuses to abide by the posting policy. Thanks.

Posted by: aeschylus | November 19, 2007 11:15 PM | Report abuse

You might be interested in this odd little tale of Mac insecurities...

http://www.sciencetext.com/mac-hack-us-army.html

Could it really be that the mysterious public loop back IP address used by Macs isn't an inactive port of call but a packet-sniffing spook from the US military?

db

Posted by: David Bradley | December 4, 2007 9:30 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company