Hot off the Press - News & Commentary
Friday, 12/03/ 2004 by Tech-Edge E-zine

Apple Patches 16 Serious OS X Holes!
Cupertino, CA. – This Thursday Apple quietly released a huge OS X Update that patches 16 potentially serious vulnerabilities in their Operating System, that Mac-Heads proudly point to as always being perfect. If fact, a Macintosh online site owned by MacWorld called MacCentral, so soft-peddled a SPIN on the release called “Apple releases December Security Update”, you would think it was a couple minor fixes!

According to the Apple advisory, the update patches flaws that could lead to security bypass, spoofing, exposure of sensitive data, privilege escalation, DoS (denial of service) attacks and unauthorized system access. The Research firm Secunia has tagged the update as "highly critical" and absolutely crucial.

One-third of the patches dealt directly with the open-source Apache Web server, which put most users at risk of serious DoS replay attacks. The Mac OS X Server-specific "mod_digest_apple," was necessary because of multiple corrections to the reply problems already patched in Apache server versions 1.3.31 and 1.3.32.

Apple also plugged multiple holes in Apache and “mod_ssl” that could be exploited by hackers to inject malicious characters into error log files, bypass certain security restrictions, gain escalated privileges, gain unauthorized access to other Web sites, cause a DoS condition, and potentially compromise a vulnerable system.




The update also patches another security issue in Apache that results in access to ".DS_Store" files and files starting with ".ht" not completely blocked in the security setup. Apple said the problem exists because its HFS+ file system handles file access in a case-sensitive way, while the Apache configuration blocks access in a case-sensitive way. Also corrected are integer overflows and poor range checking in TIFF handling in Appkit. "Flaws in decoding TIFF images could overwrite memory, cause arithmetic errors resulting in a crash, or permit the execution of arbitrary code. This update corrects the problems in the handling of TIFF images," the advisory said.

There are also patches that plug a buffer overflow in PostScript-to-PDF conversion that could allow execution of arbitrary code and a separate flaw in the QuickTime Streaming Server that could lead to DoS attacks.

Apple's Safari Web browser was also patched to secure users against URL-spoofing attacks and misleading information about which Web site launched a pop-up window.

With so many major patches and fixes in this release, it makes one wonder why Apple has held off so long to release this monstrous “point” patch release for OS X? With all the bashing that Mac-centric sites like MacCentral gives to Microsoft at every Windows patch release, perhaps Apple was trying to sneak this by under the general PC publics line of sight. In other words, face saving.

about us | current articles | archive | home | advertise!
all right reserved copyright ©1999-2003. E-mail us.