SecurityUpdate
Latest
Mac OS X 10.6.2 is on the prowl, plus security update for 10.5 users
Update: As noted by our commenters and cross-confirmed with OS News, the 10.6.2 update appears to drop support for the hackintosh-centric Atom processor. This was spotted in earlier builds, but it was not clear whether the support for the netbook CPU would be in or out in the final configuration. We've been expecting Mac OS X 10.6.2 for a while now, especially since Apple initially said that the new Magic Mouse would require it, but it has just arrived. Alongside the OS update for Snow Leopard users, Security Update 2009-006 is out for users of Leopard. Use Software Update to make sure that you get the right update for your computer. Bug fixes are reported for AFP Client, Adaptive Firewall, Apache (2), Apache Portable Runtime, ATS, Certificate Assistant, CoreGraphics, CoreMedia (2), CUPS, Dictionary, DirectoryService, Disk Images, Dovecot, Event Monitor, fetchmail, file, FTP Server, Help Viewer, ImageIO, International Components for Unicode, IOKit, IPSec, Kernel, Launch Services, libsecurity, libxml, Login Window, OpenLDAP (2), OpenSSH, PHP, QuickDraw Manager, QuickLook, QuickTime (4), FreeRADIUS, Screen Sharing, Spotlight, and Subversion. No word on any new features or enhancements yet. Stay tuned. Here's the update list from Apple via Software Update: The 10.6.2 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac, including fixes for: an issue that might cause your system to logout unexpectedly a graphics distortion in Safari Top Sites Spotlight search results not showing Exchange contacts a problem that prevented authenticating as an administrative user issues when using NTFS and WebDAV file servers the reliability of menu extras an issue with the 4-finger swipe gesture an issue that causes Mail to quit unexpectedly when setting up an Exchange server Address Book becoming unresponsive when editing a problem adding images to contacts in Address Book an issue that prevented opening files downloaded from the Internet Safari plug-in reliability general reliability improvements for iWork, iLife, Aperture, Final Cut Studio, MobileMe, and iDisk an issue that caused data to be deleted when using a guest account For detailed information on this update, please visit this website: http://support.apple.com/kb/HT3874.
Apple releases security, Java updates
Start your engines -- er, Apple menus -- it's Software Update time! Apple has just issued two security updates today. The first is aimed at Java for OS X 10.5.6 and the Java Web Start and Java Applet components. The second update is for both Mac OS X 10.4.11 and Mac OS X 10.5.6 is a broader security update that addresses the Safari RSS vulnerability we discussed last month, as well as a number of other components (including perl, AFP Server and Remote Apple Events). You'll need to restart your system after installing the security update -- but we recommend you do so, this stuff looks important! Thanks Vivek! Postscript: Brian Mastenbrook, who discovered the Safari RSS vulnerability has posted a blog entry detailing how he discovered the problem, why he issued a warning and how long it ultimately took Apple to respond (6 months!). It's good reading and a good discourse on how our favorite company handles security threats and how they might want to improve.
Apple releases Security Update 2008-007
Apple released Security Update 2008-007 for Mac OS X Leopard and Tiger users today. The update addresses many specific areas of the Mac OS, including: Apache, ClamAV, CUPS, Finder, and more. A full list of the areas affected by the update can be found on the Apple support website. The update is available for the following systems: Client systems running Leopard Server systems running Leopard Client systems running Mac OS X 10.4.11 (Intel) Client systems running Mac OS X 10.4.11 (PPC) Server systems running Mac OS X 10.4.11 (PPC) Server systems running Mac OS X 10.4.11 (Universal) You can get the update by downloading the installer package from the Apple support website, or by opening Software Update (Apple menu > Software Update). Continue reading for a change log for this update.
Apple TV update 2.2
Earlier tonight, Apple issued a Security Update for Apple TV. According to Apple, this update (version 2.2) fixes a bug in Apple TV that could allow a "maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." This definitely doesn't sound good to us. It's not all boring security stuff; Apple also added a Genius playlist function. To access the Genius function, just hold down the play/pause button while a song is playing, and a popup menu will allow you to "Start Genius," or add to an on-the-go playlist. You can download this update by navigating to Settings > Update Software. Alternatively, Apple TV checks on a weekly basis for any new updates. If it finds an update, it will download, verify, and install the new update. You can read more about this update in this Apple support article. Have you found another feature of the update? Let us know by sharing in the comments below, or sending us a tip! Thanks Justin
Mac OS X 10.5.5 Combo updater, Security Update for 10.4 now available
If you've been a bad nervous Mac user, then chances are that you might not be running the latest updates. If so, you can download the Combo updater for Mac OS X 10.5.5 which includes all important patches up to this point, so you can remain up-to-date even if you skipped a couple of updates. If you are still running the slightly older OS, Tiger, then Apple has provided an update for you as well. The Security 2008-006 update allows you to stay as safe as your Leopard brethren. Security update 2008-006 is available for both PPC and Intel Macs running Mac OS X 10.4 (Tiger).You can download all of these updates by opening Software Update (Apple menu > Software Update) or by visiting Apple's download page.
Security Update 2008-002 v1.1
Today, Apple released Security Update 2008-002 v1.1 for Leopard client and Leopard server. Software Update gives us the following information about the update: Security Update 2008-002 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.You can download this update by opening Software Update (Apple menu > Software Update) or by downloading either the client or server installer package from the Apple Support downloads website.
Security Update 2008-002 issues may be cleared up by Rogue Amoeba fix
As many of you have reported, there are a few hiccups for some who have installed the latest Leopard security update. Two of the areas of concern are ssh (no connectivity or a crash) and printing (errors out, documents never finish spooling), with various fixes offered (reinstalling the 10.5.2 combo update, installing a standalone SSH build) and various degrees of success reported.One emergent common thread for some of the problems is the presence of a Rogue Amoeba audio utility, and the gang in the petri dish have responded with a revised version of the Instant Hijack framework. The new 2.0.3 version aims to address a bug that has been latent since the introduction of Leopard's position-independent executables feature, where certain sensitive processes (like, say, ssh) could be run from a randomized memory address, avoiding attack vectors that depend on targeting a specific vulnerable spot within the code.Up until the 2008-002 security patches, according to RA, the PIE feature wasn't used for anything yet -- after the update, surprise surprise, ssh is being moved around when it runs. Since Instant Hijack inspects newly launched processes to see if they have audio properties, it tries to look at the ssh instance in memory -- hey, wherdja go? Hence the problem.If you have been experiencing ssh issues and have Rogue Amoeba apps installed, try the patch and let us know what happens.[via Daring Fireball + Apple discussions]
Security Update 2008-002 is available
Fire up Software Update, Mac users. Security Update 2008-002 has been released. According to Apple, this update "...is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update."So, it improves security. How exciting. As usual, we ask you to report any problems you encounter after installing this update. Good luck, true believers! Note that this update, like the earlier Safari 3.1, requires a reboot.Thanks to everyone who sent this in!
Update love for the Tiger crowd: Security Update 2008-001
Want the security goodness of 10.5.2 in a familiar, Tiger-iffic package? You want the new, much improved Security Update 2008-001, available now for client and server versions of 10.4.11. The update includes fixes for URL vulnerabilities in Mail, Terminal and Safari, patches for Parental Controls and X11, and more -- full list after the break.You can find this update in Software Update or download direct from Apple. Happy patching!
Security Update 2007-005
Apple has just posted its latest security update. This update addresses a boatload of possible vulnerabilities including a number of core unix utilities as well as iChat and VPN. Without further ado, here's a quick rundown of the fixes and the vulnerabilities: Alias Manager. Impact: Users may be misled into opening a substituted file BIND. Impact: Multiple vulnerabilities in BIND, the most serious of which is remote denial of service CoreGraphics. Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution crontabs. Impact: The daily /tmp cleanup script may lead to a denial of service fetchmail. Impact: fetchmail password disclosure may be possible file. Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution iChat. Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution mDNSResponder. Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution PPP. Impact: A local user may obtain system privileges ruby. Impact: Denial of service vulnerabilities in the Ruby CGI library screen. Impact: Multiple denial of service vulnerabilities in GNU Screen texinfo. Impact: A vulnerability in texinfo may allow arbitrary files to be overwritten VPN. Impact: A local user may obtain system privileges Thanks Tomasz
Revised Security Update 004 and QT CanSecWest fix released
Those of you in the habit of waiting a week or two to apply Apple's updates may now begin to snicker in satisfaction. A revised version of the 004 security update was released this afternoon, correcting two issues (Airport problems in 10.3.9 and FTP settings on Mac OS X Server). We linked to MacFixit's troubleshooting report for the original update late last week.Also released: QuickTime 7.1.6, which applies to both Mac OS X and Windows deployments and closes the Java exploit used to win the CanSecWest $10,000 challenge. As expected, researcher Dino Dai Zovi and the Zero Day Initiative/Tipping Point are credited with the discovery of the vulnerability. The ZDI writeup notes that the time from discovery to patch was eight days... not all that bad.[via MacRumors]
Security Update 2007-004
You know what that feeling in the air is? That's right! Apple has released a new security update. Security Update 2007-004. It seems to fix a slew of things, so I would suggest installing it as soon as possible.It is available for 10.3.9 server, 10.3.9 client, PPC, and Universal flavors.
Security Update 2006-003
Apple also released Security Update 2006-003 today (which, if you're counting, is the third such security update for this year). This update includes files for both server and client editions of OS X, as well as files for OS X 10.3.9 through OS X 10.4.6.This fixes a host of security issues, so I won't list them here but if you are interested check out the tech note.Update: Brent points out, correctly, that there have been 9 security updates so far this year, however, I was correct in that this is the third OS specific update of the year. Don't you just like it when everyone is right?
Apple releases iTunes, security updates
Apple has made both iTunes 6.0.4 and Security Update 2006-001 available via Security Update. According to Apple, iTunes 6.0.4 "...addresses stability and performance issues related to Front Row," and today's security update improves the security of the following components: apache_mod_php automount Bom Directory Services iChat IPSec LaunchServices LibSystem loginwindow Mail rsync Safari Syndication Go and get 'em, folks.Update: Reader Bob points out that iPhoto has also been updated. It's now at version 6.0.2, which, according to Apple, "...resolves several minor issues with playing shared slideshows in Front Row." Thanks, Bob!
