main

Apple Releases Security Update 2005-001 for Mac OS X

Tom Warren   on 26 January 2005 - 19:00 · 40 comments & 4356 views

Advertisement (Why?)
Apple Computer released a security update for mac owners today to fix seven exploits in Mac OS X.

The update fixes a variety of problems in OS X, including ColorSync, Libxm2, Mail, PHP, Safari, and Sendmail; click read more for an extensive list of the problems and respective fixes.

Users of Mac OS X v10.2.8 Client and Server as well as Mac OSX v10.3.7 Client and Server can update their OS via Software Update preferences, or from Apple Downloads.

View: More Information On Vulnerabilites
Download: Security Update 2005-001 for Mac OSX 1.0.2.8 Client / Mac OSX 1.0.2.8 Server
Download: Security Update 2005-001 for Mac OSX 1.0.3.7 Client / Mac OSX 1.0.3.7 Server
View: Apple Computer


at commands
Problem: The "at" family of commands did not properly drop privileges. This could allow a local user to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files.

Affecting: Mac OS X v10.3.7, Mac OS X Server v10.3.7

ColorSync
Problem: An out-of-specification or improperly embedded ICC color profile could overwrite the program heap and allow arbitrary code execution.

Affecting: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8

libxml2
Problem: The libxml2 library contains unsafe code that may be exploited in applications linked against it.

Affecting: Mac OS X v10.3.7, Mac OS X Server v10.3.7

Mail
Problem: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header.

Affecting: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7

PHP
Problem: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code.

Affecting: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8

Safari
Problem: When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site.

Affecting: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8

SquirrelMail
Problem: A cross-site scripting vulnerability in SquirrelMail allowed email messages to contain content that would be rendered by a user's web browser.

Affecting: Mac OS X Server 10.3.7

Share this Article

About the Author

Full name: Tom Warren
User name: creamhackered
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 40 additional comments
(5 replies) #1 Krankerz on 26 Jan 2005 - 19:02
QUOTE
Safari
Problem: If the "Block Pop-Up Windows" feature is enabled, then this issue does not occur. If the "Block Pop-Up Windows" feature is not enabled, a user can be mislead about the content of a Pop-up window.


I don't see how this is a security threat...
#1.1 Billprozac on 26 Jan 2005 - 19:05
I suppose it is simmilar to how a popup can be designed to look like a system error message thus tricking the user into clicking on something.

Anyways, good to see these update. I will get our Mac folks updated.
#1.2 Burly on 26 Jan 2005 - 19:06
its been cut
QUOTE
If the "Block Pop-Up Windows" feature is not enabled, a user can be mislead about the content of a Pop-up window if they used an untrusted link to navigate to a site they wanted to view. This update corrects the issue regardless of the "Block Pop-Up Windows" setting. Credit to Secunia Research for reporting this issue.
#1.3 creamhackered on 26 Jan 2005 - 19:07
I've changed it to:

When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site

This is clearer.
#1.4 Deviate_X on 26 Jan 2005 - 21:53
I'll spell it out:

A malicious site can open a web page that appears to come from a trusted site . The user could be tricked into entering eg bank details (because they believe they're at the bank's website, which is 'safe') and those details get returned to the malicious page owner. Phishing.
#1.5 Krankerz on 27 Jan 2005 - 01:44
That was a little unnecessary...It was already explained and changed to make it clearer.
#2 tapo on 26 Jan 2005 - 19:09
Wait...SquirrelMail? In a patch for Mac OS 10.3.7 client?

If I have it, please tell me where. I love squirrelmail.
#3 Steven on 26 Jan 2005 - 19:31
nice job in not reporting that this also effects 10.2.8 OS X and Server, as well as 10.3.7 Server.

There are patches availble too, just use Software Update.

Nice work!!!
(7 replies) #4 kirk26 on 26 Jan 2005 - 19:39
Weird, it's on the front page of this site.
#4.1 DjmUK on 26 Jan 2005 - 19:45
That's precisely what I was thinking. I mean, there's no need really.
#4.2 Krankerz on 26 Jan 2005 - 19:54
What's so wierd about it? Windows users get front page news posts on their security flaws...only they get theirs more often
#4.3 bucko on 26 Jan 2005 - 23:55
QUOTE

Windows users get front page news posts on their security flaws...only they get theirs more often


That shut them up
#4.4 kirk26 on 27 Jan 2005 - 01:08
Whatever. I own several Macs, but I don't think this should be on the front page.
That shut him up
#4.5 Krankerz on 27 Jan 2005 - 01:48
Congratulations. I own several Macs as well, and I feel it does deserve to be there. SO THERE!
That shut him up
#4.6 kirk26 on 27 Jan 2005 - 02:08
LOL, nice one. It wasn't directed at you though.
#4.7 bucko on 28 Jan 2005 - 18:04
LOL so if macosx updates shouldn't be on the home page then xp updates shouldn't be on the home page just like Krankerz said.

If you own several macs you would know how many you have as well ¬_¬
#5 DjmUK on 26 Jan 2005 - 19:47
(1 reply) #6 mr_da3m0n on 26 Jan 2005 - 20:20
Great... Prelinking is going to take ages on my iBook again...
#6.1 roadwarrior on 26 Jan 2005 - 20:53
Took about 15-20 minutes on my 500Mhz iBook, but I was downloading some stuff at the time as well, which was competing for hard drive access.
(3 replies) #7 SlakeT on 26 Jan 2005 - 20:23
LOL...snicker snicker...Even more for the self-proclaimed superior OS? At they now admit to it.

Following in the footsteps yet again.
#7.1 Miran on 26 Jan 2005 - 20:31
Just because an OS is "superior", does not mean it will never contain flaws or require updates.

I'm sure you know that already, as anyone with half a brain does, so stop trolling.
#7.2 chAos972 on 26 Jan 2005 - 22:21
Also bear in mind some of the updates are for 3rd party applications (PHP for example).
#7.3 jagedEdge on 26 Jan 2005 - 23:03
Yea, many of the fixes are for third party applications, not to mention the bugs aren't that severe.
#8 finalcoolman on 26 Jan 2005 - 23:53
Ahhh, just give me Tiger
(2 replies) #9 SoulEata on 27 Jan 2005 - 07:52
yeah I'm snickering too. I though MacOs was "invulnerable" to hackers and viruses and exploits and blahblahblah
#9.1 Jugalator on 27 Jan 2005 - 11:56
Who told you that?

I don't think I've ever heard a Mac fan say that.

I keep hearing the same when Firefox has exploits fixed too, yet I never seem to find anything saying "Yay! Firefox 1.0, finally -- get it, this browser is immune to exploits!"
#9.2 aristotle-dude on 27 Jan 2005 - 16:21
It's not invulnerable. No OS is. But it is invulnerable to remote attacks in the default configuration (no firewall or remote services turned on by default).

That is a fact. No services on by default == no holes to exploit.
(2 replies) #10 FloatingFatMan on 27 Jan 2005 - 08:24
I like that when MS issue security fixes for Windows, even when the vulnerability was exposed by a 3rd part app, people bitch & moan that the vulnerabilities shouldn't have been there in the first place, but when Apple do it, it's all like, thanks Apple...

Anyone see how hypocritical that is?
#10.1 shichiroji4 on 27 Jan 2005 - 17:06
What nonsense are you spouting now? M$ treats security fixes like some PR work. No PR problem = no patch There are vulnerabilities that were pointed out for months and no action was taken. Please pay more attention before branding others hypocrites, you are the epitome of one.
#10.2 SquareSoft0 on 28 Jan 2005 - 09:08
You followed his example of a hypocrite word for word, and you're absolutely oblivious to it.
(7 replies) #11 Philip_Gr on 27 Jan 2005 - 11:03
Mac OS is a OS. No OS is "invulnerable". And NO OS is superior. They are just different. What is very good for me maybe it's crap for the next guy. I personaly like my Windows more than any other OS. Sure it has it's flaws but so OS X and the varius Linux flavors. The good thing is to update all the OSes often so the hackers are having a crap time trying to make a mess.
#11.1 shichiroji4 on 27 Jan 2005 - 17:09
That's BS. OSX and Linux are clearly more superior to XP. The only reason why XP is popular is the nice GUI and hardware support by moronic companies whose drivers work only in Windows.
#11.2 parkker on 27 Jan 2005 - 17:17
QUOTE
hardware support


Don't be so bitter that you can only run Linux and OS X on a limited amount of hardware. Convincing companies to writer drivers is easier when you have 95% of the market.
#11.3 saralk on 27 Jan 2005 - 17:50
QUOTE
That's BS. OSX and Linux are clearly more superior to XP. The only reason why XP is popular is the nice GUI and hardware support by moronic companies whose drivers work only in Windows.


thats besides the point, its up to the companies what OSs they make drivers for. And most companies today make drivers for Windows and Mac. Heck, even BT does it.

In time honoured tradition:
#11.4 PCyr on 28 Jan 2005 - 00:42
QUOTE
That's BS. OSX and Linux are clearly more superior to XP. The only reason why XP is popular is the nice GUI and hardware support by moronic companies whose drivers work only in Windows

And we should believe you cause you say so? I forgot! You are the god of logical and factual statements.
#11.5 shichiroji4 on 28 Jan 2005 - 02:04
QUOTE
And we should believe you cause you say so? I forgot! You are the god of logical and factual statements.


Go read unbiased analysis by IT experts, you should read more before making a fool of yourself.
#11.6 SquareSoft0 on 28 Jan 2005 - 09:07
I still don't see any proof, but then again a God like shichi doesn't need proof, he's far above that.
#11.7 PCyr on 29 Jan 2005 - 20:09
QUOTE
I still don't see any proof, but then again a God like shichi doesn't need proof, he's far above that.


So, he makes a claim with no evidence, and then says that his claims are correct by providing unspecific evidence, and that makes me a fool?

Even if he did provide specific evidence, how can I be a fool, if I didn't take a position on the arguement? Seems that he's making things up in his head to see what he wants to see.
(1 reply) #12 Philip_Gr on 28 Jan 2005 - 10:05
QUOTE
That's BS. OSX and Linux are clearly more superior to XP. The only reason why XP is popular is the nice GUI and hardware support by moronic companies whose drivers work only in Windows.


Can you explain me in what way OS X and Linux are superior than Windows? OS X has a better GUI but it lacks software support. Linux is more versatalie but it also lacks software support.
And as far as security goes if the user is a total ass it can f*** up every OS there is.
#12.1 mr_da3m0n on 28 Jan 2005 - 19:44
It does not lack software support actually. I have 8 computers sitting here and only one of them runs windows. And it is a headless internal file server.

I am not lacking software, you know?

I have everything I need available to do my daily computing needs.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.897) © 2000 - 2008 Neowin.net