security update
Latest
Apple releases slew of updates, fixes Zero Day bug
Apple has released a slew of updates in the last few days, including a security update that fixes the Zero Day bugs discovered by Charlie Miller and revealed at CanSecWest. In addition to the MacBook Pro and MobileMe Backup updates, Apple has also released: 27-inch iMac SMC Firmware Update 1.0 This update fixes Target Display Mode compatibility issues on 27-inch iMac computers. Weighs in at 397 KB. 27-inch iMac EFI FW Update 1.0 The update is recommended for all quad-core Intel Core i5 and Core i7 processor 27-inch iMacs. This update addresses the following: Resolves an issue that sometimes caused high processor utilization while playing audio through the headphone output mini-jack. Resolves an issue that prevented the display backlight from turning on after powering on the iMac. Weighs in at 2.1 MB. Security Update 2010-003 (Snow Leopard) Security Update 2010-003 is recommended for all users and improves the security of Mac OS X. Weighs in at 6.50 MB. Server Admin Tools 10.6.3 This update includes the latest releases of: iCal Server Utility, Podcast Composer, Server Admin, Server Monitor, Server Preferences, System Image Utility, Workgroup Manager, and Xgrid Admin. The update weighs in at 236MB. Security Update 2010-003 (Leopard-Client) This update improves the security of Mac OS X. Weighs in at 218.6 MB. Security Update 2010-003 (Leopard-Server) This update improves the security of Mac OS X. Weighs in at 379.5 MB. Mac OS X v10.6.3 v1.1 Update (Combo) The 10.6.3 v1.1 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac. The update weighs in at 785.29 MB. Mac OS X Server 10.6.3 v1.1 Update (Combo) The 10.6.3 v1.1 update is recommended for all servers currently running Snow Leopard Server version 10.6 and includes general operating system fixes that enhance the stability, compatibility and security of your server. The update weighs in at 897.32 MB.
Patch for ancient DOS bug in latest Windows XP update causing blue screen errors
Looks like Patch Tuesday turned into BSOD Tuesday for some Windows XP users -- Microsoft's latest security updates for the venerable OS are causing blue screens and endless reboots for people. That's the word according to a growing support thread on Microsoft's site -- and making matters just slightly worse / funnier, it's apparently the patch for that 17-year-old DOS vulnerability that's causing all the trouble. You win some, you lose some, right? Microsoft's identified a fix for those with access to an XP install disc and an optical drive, but that leaves most netbook users out in the cold -- and considering netbooks are where most of the recent XP action's been going down lately, we're hoping a better solution comes down the pike soon. P.S.- That's the BSOD tattoo guy in the photo -- remember him? [Thanks, HyperSl4ck3r]
Microsoft patches IE security hole, human rights activities fully resume
Ready for an update? Good. If you're still using Microsoft's Internet Explorer (versions 5.01 to 8) for some inexplicable reason, there's a patch that you should probably install on the double -- that is, if you're a hardcore human rights activist that just might end up on a Chinese hit list. All kidding aside, the devs in Redmond have broken free from their usual monthly update cycle in order to push out a patch to fix the hole that was exploited by a group of sophisticated hackers last week. Refresh that Windows Update if you're scared, or -- you know -- just download one of the many other free web browsers that are far, far superior to IE.
Windows 7 Black Screen of Death? (It's not as bad as it sounds)
Well, maybe it's not as bad as it sounds, but it's still not so good. As you're probably aware, over the last week or so Windows users of all stripes (not just Windows 7 users, as it turns out) have been complaining of a plain black screen that appears upon login -- at which point the systems lock up, and... that's it. Aside from some users getting an additional My Computer window (lucky devils) the system grinds to a halt. According to a Microsoft email that's making the rounds, the company is "investigating reports that its latest release of security updates is resulting in system issues for some customers." Until that time, what's a poor PC user to do? Prevx, a UK developer of anti-malware software, has surmised that a recent Windows security patch changed Access Control List (ACL) entries in the registry, preventing some software from running properly and prompting Engadget to whip up a Bergman-inspired graphic. If your machine should find itself afflicted, Prevx has put together a fix that it claims will do the trick. Keep in mind that we don't know these guys, so don't blame us if it blows up your computer -- or gives you the Bubonic plague. We'll let you know when we hear back from Microsoft on this one. Good luck! Update: Microsoft says this isn't its fault, and that it's likely some nasty malware to blame.
Mac OS X 10.6.2 is on the prowl, plus security update for 10.5 users
Update: As noted by our commenters and cross-confirmed with OS News, the 10.6.2 update appears to drop support for the hackintosh-centric Atom processor. This was spotted in earlier builds, but it was not clear whether the support for the netbook CPU would be in or out in the final configuration. We've been expecting Mac OS X 10.6.2 for a while now, especially since Apple initially said that the new Magic Mouse would require it, but it has just arrived. Alongside the OS update for Snow Leopard users, Security Update 2009-006 is out for users of Leopard. Use Software Update to make sure that you get the right update for your computer. Bug fixes are reported for AFP Client, Adaptive Firewall, Apache (2), Apache Portable Runtime, ATS, Certificate Assistant, CoreGraphics, CoreMedia (2), CUPS, Dictionary, DirectoryService, Disk Images, Dovecot, Event Monitor, fetchmail, file, FTP Server, Help Viewer, ImageIO, International Components for Unicode, IOKit, IPSec, Kernel, Launch Services, libsecurity, libxml, Login Window, OpenLDAP (2), OpenSSH, PHP, QuickDraw Manager, QuickLook, QuickTime (4), FreeRADIUS, Screen Sharing, Spotlight, and Subversion. No word on any new features or enhancements yet. Stay tuned. Here's the update list from Apple via Software Update: The 10.6.2 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac, including fixes for: an issue that might cause your system to logout unexpectedly a graphics distortion in Safari Top Sites Spotlight search results not showing Exchange contacts a problem that prevented authenticating as an administrative user issues when using NTFS and WebDAV file servers the reliability of menu extras an issue with the 4-finger swipe gesture an issue that causes Mail to quit unexpectedly when setting up an Exchange server Address Book becoming unresponsive when editing a problem adding images to contacts in Address Book an issue that prevented opening files downloaded from the Internet Safari plug-in reliability general reliability improvements for iWork, iLife, Aperture, Final Cut Studio, MobileMe, and iDisk an issue that caused data to be deleted when using a guest account For detailed information on this update, please visit this website: http://support.apple.com/kb/HT3874.
Apple releases security, Java updates
Start your engines -- er, Apple menus -- it's Software Update time! Apple has just issued two security updates today. The first is aimed at Java for OS X 10.5.6 and the Java Web Start and Java Applet components. The second update is for both Mac OS X 10.4.11 and Mac OS X 10.5.6 is a broader security update that addresses the Safari RSS vulnerability we discussed last month, as well as a number of other components (including perl, AFP Server and Remote Apple Events). You'll need to restart your system after installing the security update -- but we recommend you do so, this stuff looks important! Thanks Vivek! Postscript: Brian Mastenbrook, who discovered the Safari RSS vulnerability has posted a blog entry detailing how he discovered the problem, why he issued a warning and how long it ultimately took Apple to respond (6 months!). It's good reading and a good discourse on how our favorite company handles security threats and how they might want to improve.
Apple releases Security Update 2008-007
Apple released Security Update 2008-007 for Mac OS X Leopard and Tiger users today. The update addresses many specific areas of the Mac OS, including: Apache, ClamAV, CUPS, Finder, and more. A full list of the areas affected by the update can be found on the Apple support website. The update is available for the following systems: Client systems running Leopard Server systems running Leopard Client systems running Mac OS X 10.4.11 (Intel) Client systems running Mac OS X 10.4.11 (PPC) Server systems running Mac OS X 10.4.11 (PPC) Server systems running Mac OS X 10.4.11 (Universal) You can get the update by downloading the installer package from the Apple support website, or by opening Software Update (Apple menu > Software Update). Continue reading for a change log for this update.
Apple TV update 2.2
Earlier tonight, Apple issued a Security Update for Apple TV. According to Apple, this update (version 2.2) fixes a bug in Apple TV that could allow a "maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." This definitely doesn't sound good to us. It's not all boring security stuff; Apple also added a Genius playlist function. To access the Genius function, just hold down the play/pause button while a song is playing, and a popup menu will allow you to "Start Genius," or add to an on-the-go playlist. You can download this update by navigating to Settings > Update Software. Alternatively, Apple TV checks on a weekly basis for any new updates. If it finds an update, it will download, verify, and install the new update. You can read more about this update in this Apple support article. Have you found another feature of the update? Let us know by sharing in the comments below, or sending us a tip! Thanks Justin
Mac OS X 10.5.5 Combo updater, Security Update for 10.4 now available
If you've been a bad nervous Mac user, then chances are that you might not be running the latest updates. If so, you can download the Combo updater for Mac OS X 10.5.5 which includes all important patches up to this point, so you can remain up-to-date even if you skipped a couple of updates. If you are still running the slightly older OS, Tiger, then Apple has provided an update for you as well. The Security 2008-006 update allows you to stay as safe as your Leopard brethren. Security update 2008-006 is available for both PPC and Intel Macs running Mac OS X 10.4 (Tiger).You can download all of these updates by opening Software Update (Apple menu > Software Update) or by visiting Apple's download page.
Security Update 2008-002 v1.1
Today, Apple released Security Update 2008-002 v1.1 for Leopard client and Leopard server. Software Update gives us the following information about the update: Security Update 2008-002 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.You can download this update by opening Software Update (Apple menu > Software Update) or by downloading either the client or server installer package from the Apple Support downloads website.
Security Update 2008-002 issues may be cleared up by Rogue Amoeba fix
As many of you have reported, there are a few hiccups for some who have installed the latest Leopard security update. Two of the areas of concern are ssh (no connectivity or a crash) and printing (errors out, documents never finish spooling), with various fixes offered (reinstalling the 10.5.2 combo update, installing a standalone SSH build) and various degrees of success reported.One emergent common thread for some of the problems is the presence of a Rogue Amoeba audio utility, and the gang in the petri dish have responded with a revised version of the Instant Hijack framework. The new 2.0.3 version aims to address a bug that has been latent since the introduction of Leopard's position-independent executables feature, where certain sensitive processes (like, say, ssh) could be run from a randomized memory address, avoiding attack vectors that depend on targeting a specific vulnerable spot within the code.Up until the 2008-002 security patches, according to RA, the PIE feature wasn't used for anything yet -- after the update, surprise surprise, ssh is being moved around when it runs. Since Instant Hijack inspects newly launched processes to see if they have audio properties, it tries to look at the ssh instance in memory -- hey, wherdja go? Hence the problem.If you have been experiencing ssh issues and have Rogue Amoeba apps installed, try the patch and let us know what happens.[via Daring Fireball + Apple discussions]
Security Update 2008-002 is available
Fire up Software Update, Mac users. Security Update 2008-002 has been released. According to Apple, this update "...is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update."So, it improves security. How exciting. As usual, we ask you to report any problems you encounter after installing this update. Good luck, true believers! Note that this update, like the earlier Safari 3.1, requires a reboot.Thanks to everyone who sent this in!
Update love for the Tiger crowd: Security Update 2008-001
Want the security goodness of 10.5.2 in a familiar, Tiger-iffic package? You want the new, much improved Security Update 2008-001, available now for client and server versions of 10.4.11. The update includes fixes for URL vulnerabilities in Mail, Terminal and Safari, patches for Parental Controls and X11, and more -- full list after the break.You can find this update in Software Update or download direct from Apple. Happy patching!
Security Update 2007-009 for Leopard now available
If you've been wondering when we'd see a security update for Mac OS X Leopard: you can stop holding your breath. Apple has just pushed out Security 2007-009 for Mac OS X 10.5.1. So what's been fixed? According to the release notes: Core Foundation Flash Player Plug-in Quick Look Safari Shockwave Plug-in and plenty more The update, which as ever is recommended for everyone running the latest big cat, weighs in at 35.6MB. If you're wanting to go ahead and install the update without waiting, you'll want to run over to the Apple Support site and grab the file, or simply run Software Update on your system. As with all OS X updates, we'd strongly suggest you have a working backup before installing on any mission-critical system.
Security Update 2007-005
Apple has just posted its latest security update. This update addresses a boatload of possible vulnerabilities including a number of core unix utilities as well as iChat and VPN. Without further ado, here's a quick rundown of the fixes and the vulnerabilities: Alias Manager. Impact: Users may be misled into opening a substituted file BIND. Impact: Multiple vulnerabilities in BIND, the most serious of which is remote denial of service CoreGraphics. Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution crontabs. Impact: The daily /tmp cleanup script may lead to a denial of service fetchmail. Impact: fetchmail password disclosure may be possible file. Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution iChat. Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution mDNSResponder. Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution PPP. Impact: A local user may obtain system privileges ruby. Impact: Denial of service vulnerabilities in the Ruby CGI library screen. Impact: Multiple denial of service vulnerabilities in GNU Screen texinfo. Impact: A vulnerability in texinfo may allow arbitrary files to be overwritten VPN. Impact: A local user may obtain system privileges Thanks Tomasz
Revised Security Update 004 and QT CanSecWest fix released
Those of you in the habit of waiting a week or two to apply Apple's updates may now begin to snicker in satisfaction. A revised version of the 004 security update was released this afternoon, correcting two issues (Airport problems in 10.3.9 and FTP settings on Mac OS X Server). We linked to MacFixit's troubleshooting report for the original update late last week.Also released: QuickTime 7.1.6, which applies to both Mac OS X and Windows deployments and closes the Java exploit used to win the CanSecWest $10,000 challenge. As expected, researcher Dino Dai Zovi and the Zero Day Initiative/Tipping Point are credited with the discovery of the vulnerability. The ZDI writeup notes that the time from discovery to patch was eight days... not all that bad.[via MacRumors]
Security Update 2007-004
You know what that feeling in the air is? That's right! Apple has released a new security update. Security Update 2007-004. It seems to fix a slew of things, so I would suggest installing it as soon as possible.It is available for 10.3.9 server, 10.3.9 client, PPC, and Universal flavors.
Security Update 2006-003
Apple also released Security Update 2006-003 today (which, if you're counting, is the third such security update for this year). This update includes files for both server and client editions of OS X, as well as files for OS X 10.3.9 through OS X 10.4.6.This fixes a host of security issues, so I won't list them here but if you are interested check out the tech note.Update: Brent points out, correctly, that there have been 9 security updates so far this year, however, I was correct in that this is the third OS specific update of the year. Don't you just like it when everyone is right?
Apple releases iTunes, security updates
Apple has made both iTunes 6.0.4 and Security Update 2006-001 available via Security Update. According to Apple, iTunes 6.0.4 "...addresses stability and performance issues related to Front Row," and today's security update improves the security of the following components: apache_mod_php automount Bom Directory Services iChat IPSec LaunchServices LibSystem loginwindow Mail rsync Safari Syndication Go and get 'em, folks.Update: Reader Bob points out that iPhoto has also been updated. It's now at version 6.0.2, which, according to Apple, "...resolves several minor issues with playing shared slideshows in Front Row." Thanks, Bob!
