Apple Releases Security Update 2009-001

Posted by:
Date: Friday, February 13th, 2009, 09:56
Category: Software

applesecurity.jpg
Making Friday a somewhat official update-o-rama, Apple released Security Update 2009-001, its first collection of security fixes for the new year.
The 43.4 megabyte download contains the following fixes and features:

  • AFP Server:
    Impact: A user with the ability to connect to AFP Server may be a able to trigger a denial of service
    Description: A race condition in AFP Server may lead to an infinite loop. Enumerating files on an AFP server may lead to a denial of service. This update addresses the issue through improved file enumeration logic. This issue only affects systems running Mac OS X v10.5.6.
  • Apple Pixlet Video:
    Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exist in the handling of movie files using the Pixlet codec. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.
  • CarbonCore:
    Impact: Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in Resource Manager’s handling of resource forks. Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of resource forks. Credit: Apple.
  • CFNetwork:
    Impact: Restores proper operation of cookies with null expiration times
    Description: This update addresses a non-security regression introduced in Mac OS X 10.5.6. Cookies may not be properly set if a web site attempts to set a session cookie by supplying a null value in the “expires” field, rather than omitting the field. This update addresses the issue by ignoring the “expires” field if it has a null value.
  • CFNetwork:
    Impact: Restores proper operation of session cookies across applications
    Description: This update addresses a non-security regression introduced in Mac OS X 10.5.6. CFNetwork may not save cookies to disk if multiple open applications attempt to set session cookies. This update addresses the issue by ensuring that each application stores its session cookies separately.
  • Certificate Assistant:
    Impact: A local user may manipulate files with the privileges of another user running Certificate Assistant
    Description: An insecure file operation exists in Certificate Assistant’s handling of temporary files. This could allow a local user to overwrite files with the privileges of another user who is running Certificate Assistant. This update addresses the issue through improved handling of temporary files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.
  • ClamAV:
    Impact: Multiple vulnerabilities in ClamAV 0.94
    Description: Multiple vulnerabilities exist in ClamAV 0.94, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.94.2. ClamAV is distributed only with Mac OS X Server systems. Further information is available via the ClamAV website at http://www.clamav.net/.
  • CoreText:
    Impact: Viewing maliciously crafted Unicode content may lead to an unexpected application termination or arbitrary code execution
    Description: A heap buffer overflow may occur when processing Unicode strings in CoreText. Using CoreText to handle maliciously crafted Unicode strings, such as when viewing a maliciously crafted web page, may result in an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rosyna of Unsanity for reporting this issue.
  • CUPS:
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination
    Description: Exceeding the maximum number of RSS subscriptions results in a null pointer dereference in the CUPS web interface. This may lead to an unexpected application termination when visiting a maliciously crafted website. In order to trigger this issue, valid user credentials must either be known by the attacker or cached in the user’s web browser. CUPS will be automatically restarted after this issue is triggered. This update addresses the issue by properly handling the number of RSS subscriptions. This issue does not affect systems prior to Mac OS X v10.5.
  • DS Tools:
    Impact: Passwords supplied to dscl are exposed to other local users
    Description: The dscl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. Passwords exposed include those for users and administrators. This update makes the password parameter optional, and dscl will prompt for the password if needed. Credit: Apple.
  • fetchmail:
    Impact: Multiple vulnerabilities in fetchmail 6.3.8
    Description: Multiple vulnerabilities exist in fetchmail 6.3.8, the most serious of which may lead to a denial of service. This update addresses the issues by updating to version 6.3.9. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/
  • Folder Manager:
    Impact: Other local users may access the Downloads folder
    Description: A default permissions issue exists in Folder Manager. When a user deletes their Downloads folder and Folder Manager recreates it, the folder is created with read permissions for everyone. This update addresses the issue by having Folder Manager limit permissions so that the folder is accessible only to the user. This issue only affects applications using Folder Manager. This issue does not affect systems prior to Mac OS X v10.5. Credit to Graham Perrin of CENTRIM, University of Brighton for reporting this issue.
  • FSEvents:
    Impact: Using the FSEvents framework, a local user may be able to see filesystem activity that would otherwise not be available
    Description: A credential management issue exists in fseventsd. By using the FSEvents framework, a local user may be able to see filesystem activity that would otherwise not be available. This includes the name of a directory which the user would not otherwise be able to see, and the detection of activity in the directory at a given time. This update addresses the issue through improved credential validation in fseventsd. This issue does not affect systems prior to Mac OS X v10.5. Credit to Mark Dalrymple for reporting this issue.
  • Network Time:
    Impact: The Network Time service configuration has been updated
    Description: As a proactive security measure, this update changes the default configuration for the Network Time service. System time and version information will no longer be available in the default ntpd configuration. On Mac OS X v10.4.11 systems, the new configuration takes effect after a system restart when Network Time service is enabled.
  • perl:
    Impact: Using regular expressions containing UTF-8 characters may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in the handling of certain UTF-8 characters in regular expressions. Parsing maliciously crafted regular expressions may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of regular expressions.
  • Printing:
    Impact: A local user may obtain system privileges
    Description: An error handling issue exists in csregprinter, which may result in a heap buffer overflow. This may allow a local user to obtain system privileges. This update addresses the issue through improved error handling. Credit to Lars Haulin for reporting this issue.
  • python:
    Impact: Multiple vulnerabilities in python
    Description: Multiple vulnerabilities exist in python, the most serious of which may lead to arbitrary code execution. This update addresses the issues by applying patches from the python project.
  • Remote Apple Events:
    Impact: Sending Remote Apple events may lead to the disclosure of sensitive information
    Description: An uninitialized buffer issue exists in the Remote Apple Events server, which may lead to disclosure of memory contents to network clients. This update addresses the issue through proper memory initialization. Credit: Apple.
  • Remote Apple Events:
    Impact: Enabling Remote Apple Events may lead to an unexpected application termination or the disclosure of sensitive information
    Description: An out-of-bounds memory access exits in Remote Apple Events. Enabling Remote Apple Events may lead to an unexpected application termination or the disclosure of sensitive information to network clients. This update addresses the issue through improved bounds checking. Credit: Apple.
  • Safari RSS:
    Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution
    Description: Multiple input validation issues exist in Safari’s handling of feed: URLs. esp issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs. Credit to Clint Ruoho of Laconic Security, Billy Rios of Microsoft, and Brian Mastenbrook for reporting these issues.
  • servermgrd:
    Impact: Remote attackers may be able to access Server Manager without valid credentials
    Description: An issue in Server Manager’s validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue through additional validation of authentication credentials. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.
  • SMB:
    Impact: Connecting to a maliciously crafted SMB file system may lead to an unexpected system shutdown or arbitrary code execution with system privileges
    Description: An integer overflow in SMB File System may result in a heap buffer overflow. Connecting to a maliciously crafted SMB file system may lead to an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.
  • SMB:
    Impact: Connecting to a maliciously crafted SMB file server may lead to an unexpected system shutdown
    Description: A memory exhaustion issue exists in the SMB File System’s handling of file system names. Connecting to a maliciously crafted SMB file server may lead to an unexpected system shutdown. This update addresses the issue by limiting the amount of memory allocated by the client for file system names. Credit: Apple.
  • SquirrelMail:
    Impact: Multiple vulnerabilities in SquirrelMail
    Description: SquirrelMail is updated to version 1.4.17 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. Further information is available via the SquirrelMail web site at http://www.SquirrelMail.org/
  • X11:
    Impact: Multiple vulnerabilities in X11 server
    Description: Multiple vulnerabilities exist in X11 server. The most serious of these may lead to arbitrary code execution with the privileges of the user running the X11 server, if the attacker can authenticate to the X11 server. This update addresses the issues by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security
  • X11:
    Impact: Multiple vulnerabilities in FreeType v2.1.4
    Description: Multiple vulnerabilities exist in FreeType v2.1.4, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. This update addresses the issues by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/ The issues are already addressed in systems running Mac OS X v10.5.6.
  • X11:
    Impact: Multiple vulnerabilities in LibX11
    Description: Multiple vulnerabilities exist in LibX11, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. This update addresses the issues by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security These issues do not affect systems running Mac OS X v10.5 or later.
  • XTerm:
    Impact: A local user may send information directly to another user’s Xterm
    Description: A permissions issue exists in Xterm. When used with luit, Xterm creates tty devices accessible by everyone. This update addresses the issue by having Xterm limit the permissions so tty devices are accessible only by the user.
  • Security Update 2009-001 requires Mac OS X 10.5 or later to install and run.
    If you’ve tried the update and noticed any changes, please let us know in the comments or forums.

    (more…)

    Apple Releases Java for OS X 10.5 Update 3

    Posted by:
    Date: Friday, February 13th, 2009, 08:39
    Category: Software

    applelogo1.jpg
    Early Friday, Apple released its Java for Mac OS X 10.5 Update 3 patch. The 3.1 megabyte download, adds the following fix:

  • Java: Impact: Multiple vulnerabilities in Java Web Start and Java Plug-in
    Description: Multiple vulnerabilities exist in Java Web Start and the Java Plug-in, the most serious of which may allow untrusted Java Web Start applications and untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with the privileges of the current user. This update provides patches for the Java Bug IDs 6694892, 6707535, 6727081 and 6767668 from Sun Microsystems.
  • The update requires Mac OS X 10.5 or later to install and run.
    If you’ve tried the update and have any feedback to offer, let us know in the comments or forums.

    (more…)

    Monoprice.com to Begin Selling Mini DisplayPort to HDMI Adapter on March 15th

    Posted by:
    Date: Thursday, February 12th, 2009, 13:39
    Category: MacBook

    el17.jpg
    If you own a unibody MacBook or MacBook Pro with a Mini DisplayPort and want to export video to a TV or other HDMI device, hang on for just a bit longer.
    According to AppleInsider, discount cable outlet Monoprice.com will begin sell Mini DisplayPort to HDMI adapters for US$14.25 starting March 15th. Two other new adapters, offering to convert the Mini DisplayPort signal for either DVI or VGA, will also be available that same day. The vast majority of today’s HDTVs have HDMI inputs, but DisplayPort is a relatively new player on the connection standard scene and connectors between the two are rare, especially for Mac owners.
    Some users have been able to work around the problem with a Mini DisplayPort to DVI adapter that in turn feeds a DVI to HDMI cable, though that method may be less than ideal, requires the purchase of two adapters and may not be aesthetically satisfying and may degrade the video to a certain extent.
    Apple currently sells a Mini DisplayPort to VGA adapter for US$29 as well as DVI adapters for US$29 through the Apple Store, but nothing for the HDMI standard.
    Stay tuned for additional details as they become available and feel free to hurl your two cents in via the comments or forums.

    (more…)

    MacBook to Modbook in About a Minute

    Posted by:
    Date: Thursday, February 12th, 2009, 09:16
    Category: Fun

    modbook2.jpg
    The guys at TechRestore have sent along the following video of a conversion from an Apple MacBook to Axiotron’s Modbook tablet. (Disclaimer: TechRestore is a PowerPage sponsor.)
    The video runs for less than two minutes and uses some undoubtedly nifty stop motion techniques to make it even more interesting:




    Take a gander and let us know what you think in the comments or forums.

    (more…)

    Microsoft Implements Hotmail POP3 Support in United States, Other Countries

    Posted by:
    Date: Wednesday, February 11th, 2009, 10:55
    Category: iPhone

    3giphone.jpg
    Back in January, Microsoft announced that the company would be bringing POP3 access to its Hotmail services in select countries, a change which would prove helpful to a number of iPhone owners. Unfortunately, the service had yet to become available in the United States.
    According to iPhone Alley, Microsoft seems to have implemented this feature in the United States as well as other countries since the announcement. Per notice received today, POP3 support is currently active and working on the iPhone.
    In order to get Hotmail POP3 up and running on your iPhone, you’ll have to manually set everything up. To do this, use pop3.live.com (port 995) for incoming mail and smtp.live.com (port 25) for outgoing. Your account will be your full Hotmail/Live address.
    If you’ve tried this on your iPhone or iPod touch and can offer any feedback, please let us know in the comments or forums.

    (more…)

    Rumor: Apple May Bundle Professional Features for Free Into Mac OS X 10.6

    Posted by:
    Date: Wednesday, February 11th, 2009, 08:38
    Category: Rumor

    quicktimelogo.jpg
    It came from the rumor mill, so while it’s still unconfirmed, it’s at least interesting.
    According to MacRumors, an architectural overhaul to Apple’s QuickTime media software due as part of Mac OS X 10.6 Snow Leopard may ship with a media player that bundles once-premium features at no cost.
    For over a decade now, Apple has distributed a limited version of its QuickTime Player application with its operating systems, offering the Pro version as a commercial add-on. Once purchased, QuickTime Pro unlocks advanced recording, sharing, saving and exporting functions after users buy a license key, which the company sells for US$29.95 and also bundles with some of its Pro software titles.
    The QuickTime Pro licensing system appears due to change, as a source familiar with the latest distributions of Snow Leopard told MacRumors earlier this week that the software arrived with a version of Player that unlocks all QuickTime Pro’s existing features by default.
    Though the accessibility of Pro features in the Snow Leopard builds could simply be a means of allowing developers access to test the new version of QuickTime, it was also reported that QuickTime system preference panel has been updated to completely omit the registration pane.
    In recent years, Apple has loosened its grip on some legacy QuickTime Pro features while debuting others. In early 2007, the company added a new feature to the professional version of QuickTime that allowed users to export video on their computers in a format suitable for its then fledgling Apple TV media hub. A few months later it unlocked full-screen playback, a feature once exclusive to the Pro software.
    Current speculation points to Apple’s shedding its need to directly earn revenue from QuickTime licensing, which may have changed from the days when Apple was generating income solely from its sales of Macintosh computers.
    Shortly after the initial development of QuickTime 1.0 in 1991, Apple attempted to cover its development costs by packaging the technology into a US$149 Pro version of its Mac System 7 operating system software in 1993. That plan failed miserably given an expectancy towards free updates as well as other technologies to become acquainted with in System 7.
    When QuickTime 2.0 was released in 1994, it was the only version to be released as a paid-only upgrade and was also the first version offered for Windows. By version 2.1, Apple was back to offering QuickTime for free, largely to spur rapid cross platform adoption as it fought with Microsoft to deliver the best video playback platform.
    Apple’s inability to successfully license QuickTime as a raw software technology to the broad consumer market helps to explain why the company also makes no effort to sell Mac OS X to other hardware makers or as a retail product, and instead bundles its software with hardware sales.
    Stay tuned for additional details as they become available and if you’re played with a version of Mac OS X 10.6 and can offer any feedback about it, let us know in the comments or forums.

    (more…)

    PowerPage Podcast Episode 52

    Posted by:
    Date: Thursday, July 26th, 2007, 09:37
    Category: Podcast

    PowerPage Podcast LogoEpisode 52 of the PowerPage Podcast is now available. You can either download it from the iTunes Store or directly (1:23’14, 29.6MB, AAC).
    Your panel: Jason O’Grady, Rob Parker, Youngmoo Kim and Chris Barylick.
    Topics include: Apple’s Q3 2007 financial results and AT&T’s Q2 results. The first reporting periods after the iPhone launch. We also discuss “what’s on your Mac?”
    Subscribe to the PowerPage Podcast directly in iTunes or add the Podcast RSS feed to the newsreader of your choice.
    Thank you to The Tragically Hip for allowing us use their music in the podcast. Check out their new album World Container in stores now.

    (more…)

    Unboxing: Final Cut Studio 2

    Posted by:
    Date: Wednesday, May 23rd, 2007, 00:01
    Category: Software

    final-cut-studio-2.jpg
    The PowerPage’s resident videographer Rob Parker has unboxed his shiny new Final Cut Studio 2 box and has posted five pictures of the packaging in a Flickr photostream.

    (more…)

    Get a Mac – International ads

    Posted by:
    Date: Monday, April 2nd, 2007, 10:00
    Category: News
    Security_Japan.gif

    We all love the new Get a Mac ads here in the United States but Apple has a presence all over the world and the Get a Mac ads are just as popular elsewhere. We are all familiar with British Humor from BBC broadcasts to the many Monty Python Films. So Apple has created a unique series Get a Mac ads for the UK which mimic the US ads but with a distinctive British twist.
    Apple has done the same in Japan , making localized versions using local actor/comedians. We in the west can appreciate those Japanese ads thanks to Coal an Editor/Translator/Publisher at Restall.org from Ota-ku Japan. It appears Coal started hosting these back on November 11, 2006 and has graciously allowed the PowerPage to host them locally.
    Click on the headline to jump to the translated Japanese Get A Mac TV commercials…

    (more…)

    Palm Hires Former Apple Engineer in Bid to Compete With iPhone

    Posted by:
    Date: Friday, March 9th, 2007, 12:52
    Category: iPhone

    Palm and Apple Sitting in a TreePalm Inc., the maker of hand-held computers, has hired a top Silicon Valley software designer as it seeks to respond to the challenge posed by Apple’s new iPhone.

    The designer, Paul Mercer, a former Apple computer engineer, began work three weeks ago at Palm on a line of new products, a company spokeswoman said, but she declined to comment further on the project.

    Mr. Mercer, 39, joined Palm with two employees from Iventor, the independent design firm that he headed in Palo Alto, Calif., but Palm did not acquire the company, said the spokeswoman, Marlene Somsak. Palm is based in nearby Sunnyvale.

    Palm Responds to the iPhone – New York Times

    technorati tags:, , , ,

    (more…)