3/30/2006
- New Safari image-rendering vulnerability in ImageIO.
Drunkenblog[dot]com
has posted information on a new ImageIO vulnerability which
can cause Safari, and other system components (including the
Finder) to crash. What's the threat? Is the same time of situation
we saw with the recent MS06-001
vulnerability for the Windows world. If these specially crafted
images begin to appear all over the web, we could see this
issue getting bigger and bigger. A Proof-Of-Concept image
was included in the blog posting.
DO
NOT FOLLOW THIS LINK IN SAFARI - original
posting
3/30/2006
- Update on RealNetworks Security Vulnerabilities (RealPlayer
10 and RealOne Player)
Mac
Realplayer 10 (10.0.0.305-331) and Mac RealOne Player are
vulnerable to the following:
CVE-2006-0323
- The identified vulnerability is a malicious swf file (flash
media) which could cause a buffer overrun on a customer's
machine.
CAN-2005-2922
- The identified vulnerability involves the housing of a specially
crafted web page on a malicious server which could cause a
heap overflow in the embedded player.
If
you are running a vulnerable version of RealPlayer or RealOne
Player, you can update to the current version via RealPlayer's
"Check for Update" mechanism.
See
the original bulletin
here.
Zfone
- Public Beta for secure VOIP Communications
If
you have not taken a look at Zfone yet, we encourage you to
do so. This is Phil Zimmerman's new VOIP product (successor
to PGPfone). What makes this one better (aside from it being
available on OS X and Linux first)?
"The ZRTP protocol has some
nice cryptographic features lacking in many other approaches
to VoIP encryption. Although it uses a public key algorithm,
it does not rely on a public key infrastructure (PKI). In
fact, it does not use persistant public keys at all. It uses
ephemeral Diffie-Hellman with hash commitment, and allows
the detection of man-in-the-middle (MiTM) attacks by displaying
a short authentication string for the users to read and compare
over the phone. It has perfect forward secrecy, meaning the
keys are destroyed at the end of the call, which precludes
retroactively compromising the call by future disclosures
of key material. But even if the users are too lazy to bother
with short authentication strings, we still get fairly decent
authentication against a MiTM attack, based on a form of key
continuity. It does this by caching some key material to use
in the next call, to be mixed in with the next call's DH shared
secret, giving it key continuity properties analogous to SSH.
All this is done without reliance on a PKI, key certification,
trust models, certificate authorities, or key management complexity
that bedevils the email encryption world. It also does not
rely on SIP signaling for the key management, and in fact
does not rely on any servers at all. It performs its key agreements
and key management in a purely peer-to-peer manner over the
RTP packet stream. "
University
of Wisconsen Security Challenge ends....
Acording
to Slashdot, "The University of Wisconsin Security Challenge
has ended after 38 hours, intermittent DoS attacks, 4000 ssh
login attempts, a bandwidth spike of 30 Mbps, and 6 million
logged ipfw events. During this time there were 'no successful
access attempts, nor any claims of a successful attempt.".
Read
More.....
Microsoft
Speaks out Against Apple's Security Practices and Policies.
A security program manager at Microsoft Corp. has scolded rival Apple Computer for claiming that its security updates are just as transparent, informative, and detailed as those that come out of the Redmond, Wash. developer every month. Read More...
Security Update 2006-002 Mac OS X 10.4.5 Released
Apple
has posted Security Update 2006-002 for Mac OS X 10.4.5. It
is currently available via Software Update, or from Apple's
download site. This update includes Security Update 2006-001,
and addresses some new issues as well.
Components addressed include:
apache_mod_php
CoreTypes
LaunchServices
Mail
rsync
Safari
The update is available for download here...
|