iTWire - Bumper bundle of security patches for Mac OS X

IT&T JOBS|Discussion forum|Releases|Technology Events|IT News for mobile|

Today on iTWire iPhone IT News Telecommunications People Our Blogs Tech Lifestyle Science Sustainability

Live Technology Events - Training - Forums - Summits

Technology news and Jobs

Information Technology News

Bumper bundle of security patches for Mac OS X

Bumper bundle of security patches for Mac OS X

E-mail

by Stephen Withers
Wednesday, 19 December 2007
Page 2 of 2 The Software Update update is an interesting one. It has long been known that online software update mechanisms may be open to a 'man in the middle' attack - if a miscreant could find a way to intercept traffic to the update server, it would be possible to deliver malware to the computer being updated. Apparently Mac OS X 10.5 introduced a feature that allowed the execution of external command scripts delivered by the (supposed) update server, allowing the execution of arbitrary commands. This feature has been disabled by Security Update 2007-009. A swag of other components are also updated. Among the more interesting issues fixed by Security Update 2007-009 are: "Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission" (10.5 only) Are you running as an admin user? For which folders do you have write access? Potentially very nasty. "Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution" (10.4 only) Presumably this could be exploited via a malicious disk image file. Also, thumb drives are so cheap you might give them away outside an office building as a way of introducing your malware into the target organisation. "Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution" (10.4 only) "Opening an executable mail attachment may lead to arbitrary code execution with no warning" (10.5 only) Another nasty one. While users should be very careful of opening executable attachments or downloads, the fact that the OS would warn in some circumstances but not others adds to the risk involved. How this previously-fixed bug found its way back into Mac OS X 10.5 remains a mystery. Security Update 2007-009 can be downloaded using Software Update or via Apple Downloads . Please enable JavaScript in your browser to post your comment! Tags See All Tags Apple Macintosh Security Software Stephen Withers Support and maintenance Get stories like this delivered daily - FREE - subscribe now << First page < 1 2 Next page > Last page - Post your comment >>

< Next story in category		Previous story in the category >

Sponsored Releases

Charles Sturt University Commences Unified Communications Deployment With Interactive Intelligence

Progress Software's Cure for Managing Services-based Applications

ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer

UTelco Systems Pty Ltd Signs Consulting Agreement with MicroStrategy

Interactive Intelligence Adds SMS to All-in-One Multi-Channel Contact Centre Software Suite

...Promote yourself here

Latest jobs

Visitors last 30 days
Suscribers

904,266
13,751

#1 independent technology news advertise here

Subscribe to our free e-newsletter

- Advertisement -

Sporting Club Scores Communications Win

Sporting Club Scores Communications Win

Featured Job
Business Objects Analyst Programmer
Melbourne Full Time

Today on iTWire