|
Apple patches gaping DNS hole |
|
|
Written by Rob Squires
|
|
Sunday, 03 August 2008 |
APPLE HAS FINALLY RELEASED a 65Mb security update to users of its Tiger and Leopard operating systems to address that pesky, critical and well-publicized DNS flaw, along with a dozen other updates.
The DNS flaw, which was first reported by Dan Kaminsky of IOActive on July 8, could allow attackers to redirect Web site visitors to any site they choose and present forged information.
Security Update 2008-005, which is available through Software Update under the Apple icon in the menu bar also fixes a number of other security issues as follows. Open Scripting Architecture
Fixes an elevated privileges bug when loading plugins
CarbonCore
Fixes stack overflow in handling long file names. Potential code execution.
CoreGraphics
Fixes two bugs, both code execution, one for malicious graphics the other for malicious PDFs.
Data Detectors Engine
Prevents engine crashes when parsing maliciously-crafted content.
Disk Utility
Stops local users from obtaining System privileges.
OpenLDAP
Fixes an ASN parsing bug which can lead to a crash.
OpenSSL
Repairs range checking error which can lead to remote code execution.
PHP
Fixes five different bugs, one of which can lead to remote code execution.
QuickLook
Blocks maliciously-crafted Microsoft Office files which can cause QuickLooks to crash or allow remote code execution.
rsync
Fixes path validation errors.
Apple's update also fixes a QuickLook bug where loading a malicious Microsoft Office file could lead to "arbitrary code execution."
Apple highly recommends installing Security update 2008-005 for all systems running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4. The update is available at Apple.com or through the update mechanism in OS X. |
|
|
