Apple patches dozens of dangerous Mac flaws

By SearchSecurity.com Staff 14 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Cupertino, Calif.-based company addressed some critical issues with the software maker's software, which were discovered as part of the Month of Apple Bugs and the Month of Kernel Bugs. It also fixes some third-party applications, such as Adobe Systems Flash Player and the MySQL database.

Several flaws could be exploited by an attacker to conduct a denial-of-service DDoS attack or elevate privileges to access data, according to a security alert issued Tuesday by Apple. Other flaws could allow an attacker to gain full control over a victim's computer.

Apple Mac OS X and Mac OS X server versions 10.4.8 and earlier are affected. The software vendor said its automatic update would fix the issues.

In an advisory it released on the issues, security vendor Symantec said it was unaware of any exploits in the wild.

"To exploit some of these issues, an attacker must entice an unsuspecting user to execute a malicious file," Symantec said.

A stack-based buffer-overflow vulnerability affects the handling of images with embedded ColorSync profiles. Also found was an unspecified memory-corruption vulnerability affecting the 'diskimages-helper' when arbitrary disk images are mounted.

The AppleTalk networking protocol handler contains a memory corruption issue and a heap bugger overflow vulnerability that may lead to a denial of service or arbitrary code execution.

An authentication-bypass vulnerability was discovered, which is attributed to a flaw in the DirectoryService. It allows unprivileged LDAP users to modify the local root password.

AppleSingleEncoding disk images is also affected by an integer-overflow vulnerability and a flaw triggered by incomplete SSL connections with the CUPS service opens the operating system to a denial-of-service attack, Symantec said.

Flaws were found in the SSH key creation process; insufficient controls in the IOKit HID interface; an insecure command-execution issue affecting the initialization process of USB printers; and an unspecified memory-corruption flaw, which arises during the handling of RAW Image files.

Symantec credited Andrew Garber of University of Victoria, Alex Harper, Michael Evans, and Luke Church of the Computer Laboratory at the University of Cambridge, Jeff Mccune of The Ohio State University, and Cameron Kay of Massey University, New Zealand with the discovery of some of the issues.

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Apple fixes critical QuickTime flaws User provisioning and SSO for PeopleSoft- and Unix-based products Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary