Slash LaneApple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks.
A version of the software update for systems running Mac OS X 10.4.9 — labeled Security Update 2007-004 — does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.
The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS.
For Mac OS X 10.3.9
Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.
Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart.
The culprits
For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.
The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."
Malcolm Owen
Wesley Hilliard
William Gallagher
Christine McKee
42 Comments
Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!
Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!
Not daily actually, more like monthly (which is worse because malware comes out daily).
Not daily actually, more like monthly (which is worse because malware comes out daily).
It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.
It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.
Umm... I'm kind of confused. You're not being sarcastic are you?
Umm... I'm kind of confused. You're not being sarcastic are you?
Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.
Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?