Jump to content

Mac OS X Security Update 2008-005 released

apowerr

By apowerr

 Share

Security Update 2008-005 has been released for OS 10.5.4, as well as the Intel and PPC variants of 10.4.11.

 

This update is not safe for AMD users. AMD users should use Zephyroth's AMD Software Updater to patch CPUIDs, or grab the fixed version mentioned here. Of course this update is 100% safe for vanilla installs, and as long as you don't have an AMD system you should be able to update normally.

 

According to Apple's published information, Security Update 2008-005 fixes the following:

Open Scripting Architecture

Impact: A local user may execute commands with elevated privileges Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue.

 

BIND

Impact: BIND is susceptible to DNS cache poisoning and may return forged information

 

Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

 

CarbonCore

Impact: Processing long filenames may lead to an unexpected application termination or arbitrary code execution

 

Description: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

 

CoreGraphics (Memory issues)

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

 

Description: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue.

 

CoreGraphics (PDF issues)

Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PDF files. Credit to Pariente Kobi working with the iDefense VCP for reporting this issue.

 

Data Detectors Engine

Impact: Viewing maliciously crafted messages with Data Detectors may lead to an unexpected application termination Description: Data Detectors are used to extract reference information from textual content or archives. A resource consumption issue exists in Data Detectors' handling of textual content. Viewing maliciously crafted content in an application that uses Data Detectors may lead to a denial of service, but not arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.5.

 

Disk Utility

Impact: A local user may obtain system privileges Description: The "Repair Permissions" tool in Disk Utility makes /usr/bin/emacs setuid. After the Repair Permissions tool has been run, a local user may use emacs to run commands with system privileges. This update addresses the issue by correcting the permissions applied to emacs in the Repair Permissions tool. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Anton Rang and Brian Timares for reporting this issue.

 

OpenLDAP

Impact: A remote attacker may be able to cause an unexpected application termination

 

Description: An issue exists in OpenLDAP's ASN.1 BER decoding. Processing a maliciously crafted LDAP message may trigger an assertion and lead to an unexpected application termination of the OpenLDAP daemon, slapd. This update addresses the issue by performing additional validation of LDAP messages.

 

OpenSSL

Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution

 

Description: A range checking issue exists in the SSL_get_shared_ciphers() utility function within OpenSSL. In an application using this function, processing maliciously crafted packets may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

 

PHP

Impact: Multiple vulnerabilities in PHP 5.2.5 Description: PHP is updated to version 5.2.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

 

QuickLook

Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution

 

Description: Multiple memory corruption issues exist in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.

 

rsync

Impact: Files outside the module root may be accessed or overwritten remotely

 

Description: Path validation issues exist in rsync's handling of symbolic links when running in daemon mode. Placing symbolic links in an rsync module may allow files outside of the module root to be accessed or overwritten. This update addresses the issue through improved handling of symbolic links. Further information on the patches applied is available via the rsync web site at http://rsync.samba.org/

 

Good luck updating! If an AMD/non vanilla work around is released, I will be sure to update this post.

 Share
Go to articles

User Feedback

Recommended Comments



AndrewNZ

AndrewNZ 0

Posted

Security Update 2008-005 has been released for OS 10.5.4, as well as the Intel and PPC variants of 10.4.11.

 

This update is not safe for AMD users. AMD users should use Zephyroth's AMD Software Updater to patch CPUIDs, or grab the fixed version mentioned here. Of course this update is 100% safe for vanilla installs, and as long as you don't have an AMD system you should be able to update normally.

 

According to Apple's published information, Security Update 2008-005 fixes the following:

 

 

Good luck updating! If an AMD/non vanilla work around is released, I will be sure to update this post.

 

No probs with the update process, but there's some doubt that the security fix actually does what it's supposed to. Anyone able to confirm or deny?

Andy.

tomazzzi

tomazzzi 0

Posted

No pb here too.

mvolker

mvolker 0

Posted

Works fine for me.

 

Sony Vaio CR260F.

 

Leopard 10.5.4

kernel vanilla 9.4

uname -a = 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386

DA_SONG_MAN

DA_SONG_MAN 0

Posted

Heard this helps both server and client but client is not protected from the DNS cache bug.

steadybootleggin

steadybootleggin 0

Posted

we all know that this is working with vanilla installs............ no need to beat a dead horse.....but, i took a co- workers dell dimension 4600 sse2 pentium 4 and installed xxx 10.4.11( he could not stop going to pron sites and he was getting to many virus's with his xp set up so i rescued him ).......... did the update and,.......no problem!!!

Beerkex'd

Beerkex'd 12

Posted

Works for me too. Specs in signature..

kalin

kalin 0

Posted

Updated with no problems :(

barchetta

barchetta 0

Posted

Maybe a problem with USB-ports here.

Using MSIWINDosx86 on a Medion Akoya E1210.

Dunno if the partially non-working USB-ports are caused by this update though.

Mice, Bluetooth and CD players only work when connected to the USB at boot-up, otherwise not recognized.

USB Mass Storage devices (usb-drivers) do work when I plug them in after boot-up.

 

Could you guys check your USB's?

-one-_-shot-

-one-_-shot- 0

Posted

I got some version for AMD and everything works fine except It only recognizes USB keyboards and wont recognize any other kinds now

swampass2

swampass2 0

Posted

Pentium D, 10.5.4 (Kalyway 10.5.2 -> 10.5.3 Kalyway combo update -> "cleaned" Apple 10.5.4 update package) modbin 9.4. This security update Gave me definite USB issues. Reinstalling now....

NeoSwap

NeoSwap 0

Posted

Same problem as barchetta, USB devices are not recognized unless plugged in during boot.

 

Nothing else seems to be broken, though.

 

Specs: GA-P35-S3G, Intel Core 2 Quad Q9300, 8GB 667 MHz DDR 2 RAM,

Jas 10.5.4 with 9.2.0 kernel

XoDeus

XoDeus 0

Posted

It installed fine... :D

quixote

quixote 0

Posted

For me this fix worked fine.. until it came for php in apache.. When I activate libphp5.so the server cannot start. Has anyone found the same problem.. The fix updated php to version 5.2.6.

FuZi0n

FuZi0n 0

Posted

Does anybody have news on this security update in combination with iAtkos v4i? Just a little curious, still wondering if it will work and I don't really want to experiment with it :D I saw someone with iatkos v2 (I believe, anyways 10.5.2) with an upgrade to 10.5.4, but I don't know if that has the same effect.

 

Oh nevermind I see XoDeus tried it and it worked.

 

One question though, does the success of installing this update depend on the type of kernel you installed?

sox

sox 0

Posted

Hi . I need some help here... i want to install the 10.5.4 version in my notebook an Asus w5f - but i don[t know how - can someone help me PLease thx

TheKIV

TheKIV 0

Posted

it works fine.

AndreaGalileo

AndreaGalileo 0

Posted

Same problem as barchetta, USB devices are not recognized unless plugged in during boot.

 

Nothing else seems to be broken, though.

 

Specs: GA-P35-S3G, Intel Core 2 Quad Q9300, 8GB 667 MHz DDR 2 RAM,

Jas 10.5.4 with 9.2.0 kernel

 

Try using an older kernel. Worked for me!

almopd3

almopd3 0

Posted

thankkks man

boss4908

boss4908 0

Posted

Question. If you have up dated to 10.5.5 is this update needed?

 

 

Security Update 2008-005 has been released for OS 10.5.4, as well as the Intel and PPC variants of 10.4.11.

 

This update is not safe for AMD users. AMD users should use Zephyroth's AMD Software Updater to patch CPUIDs, or grab the fixed version mentioned here. Of course this update is 100% safe for vanilla installs, and as long as you don't have an AMD system you should be able to update normally.

 

According to Apple's published information, Security Update 2008-005 fixes the following:

 

 

Good luck updating! If an AMD/non vanilla work around is released, I will be sure to update this post.

Bobby Burgess

Bobby Burgess 0

Posted

can anyone show me how to use the updater plz?

 

I have jas 10.4.8 on a amd

 

when i used it and rebooted it shows me gibbrish

 

any help will do

Embio

Embio 0

Posted

*facepalm*

 

try google

songli

songli 0

Posted

This clock projects the time, date, or temp on the wall or ceiling http://www.liangdianup.com/clocks_1.htm some people call

it a ceiling clock but I call it a digital projection clock. I got the black one because at the time that was the only color

they had. But now they have them in black and also in white.

 

 

This clock projects the time, date, or temp on the wall or ceiling http://www.liangdianup.com/clocks_1.htm some people call

it a ceiling clock but I call it a digital projection clock. I got the black one because at the time that was the only color

they had. But now they have them in black and also in white.


×
×
  • Create New...