NTA Monitor

Latest News

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More

Retail sector faces serious IT security issues

23rd June 2008 The retail sector needs to set out its stall and ring the changes in its security vulnerabilities if it is to avoid the potential for hackers to gain unauthorised system access and disrupt service availability Read More

IT managers have more security headaches to deal with

11th May 2008 NTA Monitor's 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007 Read More

Solutions not excuses for patch management warns NTA Monitor

23rd April 2008 Patch management is a vital security requirement for any organsation Read More
Date: 30th September 2005
Risk: High

Apple has released a security update for Mac OS X that patches a multitude of vulnerabilities including Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, and System access.

The components affected can be found at the referenced website. Some of these include:

traceroute

Available for:Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:A buffer overflow could result in local privilege escalation and arbitrary code execution.
Description:The traceroute utility is vulnerable to a buffer overflow. This update prevents the buffer overflow from occurring. This issue does not affect systems running Mac OS X v10.4.

Apache 2

Available for: Mac OS X Server v10.3.9
Impact: The htdigest program contains a buffer overflow, which, if used improperly in a CGI application, could allow a remote system compromise.
Description: The htdigest program contains a buffer overflow, and could be used in a CGI application to manage user access controls to a web server. This update fixes the buffer overflow in htdigest. Apple does not provide any CGI applications that use the htdigest program. Apache 2 ships only with Mac OS X Server, and is off by default. This issue was fixed for Apache 1.3 in Security Update 2005-005.

Bluetooth

Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: The System Profiler information about whether or not a Bluetooth device requires authentication is misleading.
Description: Selecting "Require pairing for security" in Bluetooth preferences correctly sets the device to require authentication, but in System Profiler the device is labelled with "Requires Authentication: No." This update changes System Profiler to accurately reflect the Bluetooth security settings. This issue does not affect systems prior to Mac OS X 10.4.

Directory Services

Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: A buffer overflow in Directory Services could lead to remote execution of arbitrary code.
Description: A buffer overflow in the handling of authentication can lead to arbitrary code execution by a remote attacker. This update prevents the buffer overflow from occurring.

Kerberos

Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Kerberos-enabled logins when using LDAP can result in root compromise.
Description: When Kerberos authentication is enabled in addition to LDAP, it was possible to gain access to a root Terminal window. Kerberos authentication has been updated to prevent this situation. This issue does not affect systems prior to Mac OS X v10.4.

MySQL

Available for: Mac OS X Server v10.3.9
Impact: Multiple vulnerabilities in MySQL, including arbitrary code execution by remote authenticated users.
Description: MySQL is updated to version 4.0.24 to address several issues. This does not affect systems running Mac OS X v10.4 as Tiger shipped with MySQL version 4.1.10a, which is patched against this issue. The MySQL announcement for version 4.0.24 is located at http://dev.mysql.com/doc/mysql/en/news-4-0-24.html

ping

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: A buffer overflow could result in local privilege escalation and arbitrary code execution.
Description: The ping utility is vulnerable to a buffer overflow. This update prevents the buffer overflow from occurring. This issue does not affect systems running Mac OS X v10.4.

References