Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Apple unloads dozens of fixes for OS X

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Apple unloads dozens of fixes for OS X
Date: Wed, 17 Aug 2005 01:31:06 -0500 (CDT) 
http://news.com.com/Apple+unloads+dozens+of+fixes+for+OS+X/2100-1002_3-5834873.html

By Dawn Kawamoto 
Staff Writer, CNET News.com
August 16, 2005

Apple Computer has released what seems to be one of its larger
security updates for Mac OS X, doling out fixes for 44 flaws.

Still, only a handful of the vulnerabilities are of major concern,
according to security analysts. The package of fixes was released
Monday.

"This one is a big update. I don't recall seeing as many updates as we
see today," said Thomas Kristensen, Secunia's chief technology
officer.

By comparison, Apple last May released an update for 20
vulnerabilities and in March distributed an update for a dozen flaws.

But Kristensen noted that, with the new update, only a few of the 44
vulnerabilities are of great concern. He also said that 25 percent of
the patches involve older vulnerabilities that have yet to lead to
exploit code being developed by attackers. Still, Secunia is rating
the overall update as "highly critical."

Apple declined to comment on the vulnerabilities and referred all
questions to its security update.

The flaws affect Apple's Mac OS 10.3.9 and 10.4.2 operating system
software and related server software.

Kristensen said that some vulnerabilities involving AppKit and Safari
are critical.

AppKit, which is used to open RTFs (rich text files) and Word
documents, has flaws that allow a remote attacker to create a
malicious file that results in a buffer overflow. That in turn can
lead to arbitrary code being executed on a user's system.

Apple, however, notes that only some applications use AppKit, and that
Microsoft Word for Mac OS X is not vulnerable.

Flaws in Safari, meanwhile, can allow an attacker to bypass the
browser's security checks and execute arbitrary commands, when the
user clicks on a maliciously crafted rich text file.

Another flaw, a vulnerability in Apple's Sever Manager D, a modified
version of Apache, is also being considered critical by some.

That flaw can result in a buffer overflow and remote execution of code
by an attacker, with no user interaction, said Frank Nagle, assistant
director of vulnerability aggregation for iDefense, a VeriSign
company.
 
Previous Next Although Apple lists other security flaws that could be
exploited by a remote attacker, they are "less critical," according to
Secunia.

For example, two vulnerabilities in Apache 2 could be exploited by a
remote attacker to either bypass security restrictions or launch a
denial-of-service attack.

But Apple did not set Apache 2 by default, so it is less of an issue
than it would be if the same vulnerabilities affected Apache 1.3,
Nagle said.



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Apple unloads dozens of fixes for OS X, InfoSec News <=
Previous by Date:  [ISN] NSF grants target cybersecurity research projects, InfoSec News
Next by Date:  [ISN] Indian call centres sell off Australians' details, InfoSec News
Previous by Thread:  [ISN] NSF grants target cybersecurity research projects, InfoSec News
Next by Thread:  [ISN] Indian call centres sell off Australians' details, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]