Apple releases fixes for Mac OS X, iPhone vulnerabilities

By Edmund X. DeJesus, Contributor 01 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The fix to Mac OS X addresses multiple vulnerabilities, some rated as highly critical by security advisory service Secunia. These vulnerabilities include the possibility of bypassing security, cross-site scripting, spoofing, manipulating data, exposing sensitive information, escalating privileges, denial of service and unauthorized system access. The fix is available for Mac OS X and Mac OS X Server versions 10.3.9 and 10.4.10. This is the largest Mac OS X fix since January 2007.

While several of these vulnerabilities require the user to click on specially crafted URIs, open special files or visit special Web sites, many allow direct interference by malicious users. Several of the vulnerabilities permit remote manipulation. The vulnerabilities involve operating system components such as CFNetwork, CoreAudio, cscope, iChat, Kerberos, mDNSResponder, PDFKit, PHP, Quartz Composer, Samba, Squirrelmail, Apache Tomcat, WebCore, WebKit, Safari, bzgrep, bzip2, gnuzip and zgrep.

The iPhone flaw involves a weakness in the device's version 1.0 software involving several Web access vulnerabilities. These vulnerabilities include cross-site scripting, unexpected application termination, spoofing or arbitrary code execution. The vulnerabilities involve components such as Safari, WebCore and WebKit. The version 1.0.1 update is only available through iTunes.

The iPhone update comes after a group of security researchers last week became the first to demonstrate how to take control of the Apple iPhone (.pdf).

The first attack scenario is a straightforward one in which the attacker sends an Apple iPhone user an email containing a link to a malicious Web site. Once the user clicks on the link, the attacker's Web server exploits a flaw in the Safari browser that runs on the phone and takes control of the device.

The researchers, Charlie Miller, Joshua Mason and Jake Honoroff, also used a second HTML-based exploit to force the iPhone to perform some trivial functions, such as buzzing and vibrating. However, they said the same attack could be used to exploit additional APIs in the phone to make calls, send text messages or record conversations and send them to a third party.

The trio of experts at Baltimore-based Independent Security Evaluators, will discuss their findings at the Black Hat USA conference in Las Vegas this week.

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  Handheld and Mobile Device Security Best Practices,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research Handheld and Mobile Device Security Best Practices Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Handheld and Mobile Device Security Best Practices Research Smartphone and PDA Viruses and Threats US-CERT warns of BlackBerry snooping software Mini guide: How to remove and prevent Trojans, malware and spyware SMS attacks against BlackBerry certificate flaw possible MMS messaging spoof hack could have global ramifications Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Latest Apple iPhone features prompt security concerns SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses RIM warns of serious vulnerability in BlackBerry Web loader

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary