NOW READ THIS
("Security Advisory")
| Go Back |
Submitted by: Bill Hickey
NCVA List Master
NRT-0280 Apple Patches 45 Vulnerabilities, Including Critical iPhone Flaw:
Apple released its 2007-007 security update for Mac OS/X 10.3 (Panther) and 10.4 (Tiger) on 31 July that patched 45 vulnerabilities, including at least 17 that could allow hackers to execute attack code. Several of the flaws addressed were in the open-source Samba file-sharing code that researchers recently warned still threatened users more than 10 weeks after their discovery. Although Apple does not rate vulnerabilities in the same way that Microsoft and other companies do, the flaws it pegs as possibly leading to "arbitrary code execution" are said to rank as "critical" in other vendors' threat-scoring systems.
The components of Mac OS/X that were patched include CFNetwork, the Mac OS/X library of network protocols; CoreAudio, the application programming interface that handles sound on Macs; the zgrep file-compression utility; iChat; and WebCore, the part of the WebKit application framework that handles HTML rendering.
Nearly three-fourths of the vulnerabilities patched were in open-source software that Apple blends with its proprietary code to create Mac OS/X and its supporting applications, such as Kerberos, PHP, Samba, SquirrelMail, and Tomcat.
Apple also patched several cross-site scripting, information-disclosure, and code- execution flaws in the underlying code used by the Safari browser, including a vulnerability unveiled last week in the iPhone's version of Safari that potentially gives attackers complete access to its hardware and all its data.
(www.computerworld.com 01AUG07)