4/20/2006
- Updated Coverage on Unpatched Mac OS X Vulnerabilities
We
reported these previously,
as they were reported on security-protocols.com. However,
they seem to be getting press again. Updated bulletins have
been posted as well.
Apple
OS X 10.4.5 .tiff "LZWDecodeVector ()" Heap Overflow
Apple
OS X BOM ArchiveHelper .zip Heap Overflow
Apple
OS X Safari 2.0.3 Multiple Vulnerabilities
Apple
OS X 10.4.6 "ReadBMP ()" .bmp Heap Overflow
Apple
OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow
Apple
OS X 10.4.6 .tiff "_cg_TIFFSetField ()" DoS
Apple
OS X 10.4.6 .tiff "PredictorVSetField ()" Heap Overflow
4/19/2006
- Oracle Patches 35+ Vulnerabilities.
Oracle
has released their Critical
Patch Update for April 2006. Numerous vulnerabilities
are addressed, including some which affect Oracle running
on Mac OS X. One such example would be CVE-2006-1705.
4/18/2006
- Symantec LiveUpdate Local Privilege Escalation Vulnerability
Some
components of Symantec's LiveUpdate for Macintosh do not set
their execution path environment. A non-privileged user can
change their execution path environment. If the user then
executes one of these components, it will inherit the changed
environment and use it to locate system commands. These components
are configured to run with System Administrative privileges
(SUID) and are vulnerable to a potential Trojan horse attack.
The
full bulletin can be read here.
The patch, for remediation of this issue, is available via
LiveUpdate.
4/18/2006
- MacScan 2.1 Released
'Securemac.com'
has released MacScan 2.1. This update provides support for
Intel-based Macs, as well as a definitions update to protect
against a greater number of "spyware" threats. Note
that the consensual
definition of "spyware" does not always describe
some of the items detected by MacScan. Many of the detected
'threats' do overtly advertise their function. While they
may change the security state of the host on which they are
installed...any risk is assumed by the user installing them....
That being said..a full list of detected "threats"
is available here...
4/17/2006
- J2SE Security Update Released
Apple
has released a security update
for Java 2 Standard Edition (J2SE) . Version 5.0 Release
4. This release includes J2SE 1.5.0_06, which will supercede
version 1.4.2. Applications will run with 1.5.0_06, unless
specifically coded to use version 1.4.2. Two security updates
are also included
- Untrusted JAVA applications may obtain
elevated privileges through the Java Webstart Program,
or through the use of "reflection" APIs.
- "Security fix for Java InputMethods
4/17/2006
- Intego Releases Personal Antispam X4
Intego
has released Personal Antispam X4. This release claims to
go beyond traditional 'filter-method' anti-spam solutions.
It works with multiple email applications, and allows for
Bayesian filtering, content filtering based on a variety of
criteria, blacklist/whitelist functionality, and it "learns"
from analyzing patterns in received mail. More details here...
|