No. 1 Story

HP job cuts loom for Australian employees

A number of Australian employees of Hewlett-Packard are facing the loss of their jobs as the global computer giant looks to slash its worldwide workforce by up to 30,000.

read more

Related Articles

Mac, security, update, patches, Flash, Player, OpenSSL, and, more
Aussie businesses 'soft targets' for hackers, says security expert
Australian businesses are becoming soft targets for malicious hackers and they lag significantly behind...
Read More
MAD MECS applies location-based security policies to mobiles
To address the ever growing concerns of CIOs around security of mobile devices, US...
Read More
Juniper offers SSL VPN security for the iPad
Juniper Networks has extended its SSL VPN security to the iPad with the release...
Read More
Patches for 26 Windows, Office vulnerabilities coming next Tuesday
Microsoft is planning to dish up heapin' helpin' of security bulletins next week. So...
Read More
Social networking - the security dilemma
A recent survey by security company Sophos exposes the dilemma to business posed by...
Read More

More From

Popular Threads

Mac OS X security update patches Flash Player, OpenSSL and more

Stephen Withers
Wednesday, 20 January 2010 05:05

Business IT - Security

View Comments
Amid all the fuss about Windows security, Apple has released its first Mac OS X security update of the year.
Security Update 2010-001 is available for Mac OS X 10.6 (Snow Leopard; the same updater covers the normal and server versions) and the normal and server versions of 10.5 (Leopard). Most of the changes are common to all versions.

As usual, the updates cover code that Apple developed in house or obtained from outside.

Most notably, 2010-001 updates the Flash Player plug-in to version 10.0.42 (released by Adobe in early December), fixing multiple vulnerabilities found in older versions that could allow arbitrary code execution.

It also patches OpenSSL to disable renegotiation. This is a workaround for a TLS/SSL protocol vulnerability made public last November.

The IESG approved a fix for the issue earlier this month, so hopefully the next security update from Apple will include a version of OpenSSL that complies with the revised standard. The software running at both ends of the link needs to implement the revised protocol if the expected level of security is to be achieved.

As for Apple's own software, there are fixes for CoreAudio (buffer overflow triggered by maliciously crafted MP4 audio files), ImageIO (buffer overflow triggered by maliciously crafted TIFF images), Image RAW (buffer overflow triggered by maliciously crafted DNG images). Spot the pattern? Sometimes it seems that if programmers can fail to attend to bounds checking, they will.

Each of the issues in that list may lead to arbitrary code execution.

Finally, there's an update for CUPS (Common Unix Printing System). This falls into a category of its own, as CUPS is an open-source project 'owned' by Apple.

The patch covers an issue that could be used by a remote attacker to crash cupsd (the CUPS daemon). Although cupsd is automatically restarted, that wasn't a desirable situation and has now been fixed.

Available via Software Update or from Support Downloads, Security Update 2010-001 ranges in size from approximately 22MB for Snow Leopard to almost 250MB for Leopard Server.

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases