Apple plugs holes for domain spoofing, other attacks
Apple on Monday released a large security update for Mac OS X that fixes dozens of vulnerabilities and provides protection against potential attacks exploiting a weakness in the protocol used to verify that a domain is legitimate.
There are 43 specific issues addressed in the 2009-006 update, released the same day as Mac OS X v.10.6.2.
It plugs a variety of holes for the Mac OS X v10.5.8, 10.6, 10.6.1, and Mac OS X Server v10.6 and 10.6.1, many of which could lead to arbitrary code execution and allow an attacker to take control of a computer.
Several updates affect Apache and QuickTime. Others target AFP Client, Apple Type Services, Core Graphics, CoreMedia, Dictionary, Disk Images, Dovecot, Directory Service, fetch mail, FTP Server, Help Viewer, Kernel, PHP, QuickDraw Manager and Spotlight.
One update fixes a hole in Adaptive Firewall that could allow a brute force or dictionary attack to guess an SSH log-in password, and another update addresses a vulnerability in Login Window that could allow a user to log in to any account without supplying a password.
Several updates address holes that could allow domain spoofing or man-in-the-middle attacks involving SSL (Secure Sockets Layer) used for encrypting data in transit, including a significant weakness in the X.509 protocol for generating SSL connections.
One of the updates affects the libsecurity feature and is billed as a "proactive change to protect users in advance of improved attacks against the MD2 hash algorithm" that could expose users to spoofing and information disclosure.
"There are known cryptographic weaknesses in the MD2 hash algorithm. Further research could allow the creation of X.509 certificates with attacker controlled values that are trusted by the system," the update says. "This could expose X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. While it is not yet considered computationally feasible to mount an attack using these weaknesses, this update disables support for an X.509 certificate with an MD2 hash for any use other than as trusted root certificate."
That major weakness was revealed by security researcher Dan Kaminsky at the Defcon hacker conference in July. Kaminsky was able to trick a Certificate Authority into providing a certificate verifying authenticity for a domain that belonged to someone else.
The updates can be downloaded from Apple's site.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
can log in guest account in peace.
glad to see apple being proactive. just wait for the pc trolls to be all over this one.
but. But. BUT, it's a Mac!! It can't do that. It's just not possible to have a hole for an attacker to take advantage of your system. The commercials tell me constantly that only PCs have holes and need security patches. What's going on??? The world is coming unglued. Oh the horror!
Oh, I'm ever so confused now.
Thanks
More importantly, we PC trolls don't care.
Have a nice day.
Besides, Apple sells security software in their stores (bricks-and-mortars as well as online).
Do Apple ads say specifically that the Mac platform never has those problems? No. But, you can't deny the ads are not specifically designed to let you make that connection on your own. It's just marketing. But, I've run into my share of fanboys that would make that claim.
I also find it funny that Apple fans describe patching as being proactive but when MS does it their software is buggy.
"By all means, point a link to a Mac commercial that says they never need patching."
Good point, but then the Apple ads haven't talked about what OS X can do for years now- they serve only as an attack vector against Windows. This has grown to the point where the hosts of MacBreak Weekly, a show dedicated to promotion of Apple products has called the ads "baldfaced lies", "childish", and "pathetic." It seems even Apple promoters are getting tired of it.
Really, I think Apple should talk about what their product CAN do instead of attacking others.
Careful now, you do understand the differences between a "virus", a "worm" and a "trojan", right?
No one tell us no, or where to go...
You Apple Zealots must be enjoying your bug fix for the bug fix and on top of that what the bug fixed got more bug fixes.
last update for os x was 2 months ago. unlike windows which just had some not long ago. but thats not the issue. apple is covering up many holes before rapid exposure to the market.
i bet the all the 6 update you installed for vista in the last 2 months are windows defenders. and all of them are less than 10 MB
but 43 security fixes for a service pack ? sorry , cant take it
@ ckh1272
i bet the all the 6 update you installed for vista in the last 2 months are windows defenders. and all of them are less than 10 MB
but 43 security fixes for a service pack ? sorry , cant take it"
@exactlly--The last update had six "security updates for Vista" and two "Defender definition updates". Next ignorant question? Oh, the size of the file is irrelevant. Also, it's funny with some of you people out there (mac and windows users alike). You complain if they (Apple and Microsoft) don't update them and you complain if and when they do. I guess that's life in the "cyberworld".
I noticed you mentioned Windows Vista which was released 3 years ago. I was comparing the latest versions of Windows and Mac OS X. Snow Leopard was released just 2 months ago and its suppose to be a bug fix for problems in Leopard. Windows 7 does have a barrage of updates and it RTMed in July 2009. Notice your double standard before you blabber on here about Vista vs Snow Leopard.
but microsoft never claimed that windows is the most secure OS around "they do say that win 7 is the most secure OS made by Microsoft" on the other hand apple always try to give a false image about their OS .
when they claim its the most secure OS and that it just works and all of a sudden you get a huge patch that fixes 43 security holes..then there is something wrong ..and SL was rushed .
"I shudder to think what Apple's security reputation would be if they had the marketshare Windows PCs have."
Isn't this kind of an irrelevant point until it happens? OSX is currently a safer place to be, unless someone is specifically targeting you (and then it depends on the knowledge/talent of whoever is attacking as to which is safer). If, one day, Apple's market share grows greatly or becomes dominant.... AND they haven't fixed their security... AND I start getting attacked at the level most of my Windows using friends do.... I'LL SWITCH (to something else).
"Apple's products "just work"? Yeah right. No they don't. Every high-tech product has problems."
You're right, every tech product does have problems. The question is more around quantity and quality (or severity) of the problems. I've been using Macs and PCs (I say PCs, because I was using them before Windows) for MANY years now, and there generally has been a quantifiable difference in what I've been able to do on either, or what my clients have been able to accomplish in either case. Call it what you like... some people say that as 'just works'. Of course that is just a pithy kind of marketing slogan, but it is pointing to a reality. I doubt anyone is fooled into thinking Mac's 'just work' in the sense you're trying to say. That said, I guess my parents (who never touched a computer in their life previously) were able to set their iMac up, get it on the Internet, and install some remote control software so that I could help them from there... in like an hour with no help. Does that roughly qualify for 'just works'? Shall I compare that to my in-laws experience with their Windows machine some day for you?
"Apple is just lucky that they have such fervent supporters, tiny marketshare and the "Steve Jobs reality distortion field"."
Hmm... or could it be that there is some actual reason they have fervent supporters? Their market-share size has little to do with 'luck', and more to do with M$'s illegal activities over the years and some REALLY REALLY bad management at Apple while Jobs was away. Re: Job's RDF... I've stood 5 feet from him, and didn't really like Macs any more at that point than when I'm 1000's of miles away. All I can say.... is that if one must pick a Steve to follow... Fortune CEO of the decade or Monkey boy? Seriously!
"If it was any other company, it would be ripped to shreds over 43 security fixes."
That might be. However, reputation is generally an earned thing. There is a reason Apple is more respected than many of these 'other companies' that might get ripped, as you say.
Yup, Flash.
Yawn
Maybe it would be better to get self esteem than attack smug apple users...nah!
and i'm smoking Rothmans :D
I'm a PC fan. I don't have to read about SL to make an opinion because I own it. Do you have it? And if so, do you honestly think it was worth $30? I sure don't. It feels like a SP and a couple minor updates that Microsoft gives out for free.
Now please explain to me where it was 20 USD two weeks after SL was released. If you can't keep your facts straight, I would say you have something else in those Rothmans.
I have SL on my mini at work and have been very happy with it. It didn't bring the usual feature additions, but I was able to read *AND COMPREHEND WHAT I READ* and didn't expect a bunch of new features either. It's stable, it's fast and for me it just works as advertised. What it did bring to the table is all under the hood (Grand Central, OpenCL, full 64 bit integration, Intel optimization).
People who bought SL hoping for lots of new eye candy were disappointed, but I fear they couldn't read very well anyway since no one claimed Snow Leopard would be drastically different from Leopard. Gee, even the names are similar!
I'm not lying. I didn't say SL was worthless, I was saying that the improvements weren't worth the $30 I paid for it. It did "just work" as advertised (I haven't experienced any data loss that I've been reading about) but Windows just works for me too without any of the issues people complain about. And getting the Windows 7 on preorder for $50 made the $30 for Leopard feel like a complete rip off.
Yeah so now reply to this Mac-heads.....You will only give me what I want.
Mac=OVERRATED
HAHA!
didn't you know that WinXP Tiny Rev09 got only 75MB on it? Service Pack 3 Final (Build 5512) is included. However, the it's installed, the whole HD will have around 250MB. Awesome huh?
gosh!
grow up!
yeah saying truth nowadays is ignorance ,
when you cant upgrade your MAC hardware, and when you cant even built you system with better hardwares for 1/3 of the price , and when you cant even use a 3 years old software "photoshop CS3" so you have to buy CS4 for as low as 400 USD then once again .. if you don't care much about choice, choose Apple
and let $teve Job$ picks whatever he hinks is good for you after all
Communism owns .
Hello Mr. Borat
1st off , maybe the name " exactly" was just registerd ? so i had to register somthing close to what i wanted and i had to make it "excatlyy" ?
2nd.. you cant judge someone's intelligent by his english, maybe its my 3rd or 4th language ? and you saying
"Is it because it doesn't have enough brains to realize it's misspelled it's own name" shows that your english is far behind my english , but that doesnt make me any smarter than you, and any stupid, homeless in America can speak english Fluently but that doesnt make them smart people.. Bush could speak english Fluently but that didnt stop the whole world from calling him i-d-i-o-t .
when a MAC troll like Dalkorian cant answer why apple is overpriced and why you cant do whatever you want with your machine they start to act like smart, special and above other people level and a little bit below God level .. in the process they show how r-etard and dumb a human being with a MAC could be .
actually you are a liar . less than 2 months ago and in a topic here @download.com i asked you , if it was fair to force someone who baught CS3 a month ago to upgrade to CS4 for $400 , you said yes its fair and its their fault for gettin CS3 , right ? or i am supposed to get you the link where you said that ? you know that CS3 runs like s-h-i-t on SL
and you also know its not supported by adobe so i guess you installed Win7 on you Mac and thats how you run your CS3 or even photoshop 5 .
about 1/3 of the price .. yes thats very true .. less than month ago i built my PC..got all its hardwares from Newegg after checking the apple shop , the best desktop they offer is the iBook 27-inch: 2.66GHz for $ 2000 , please correct me if i am mistaken .
i got better hardware , insted of i5 processor i got i7 "you can upgrade ibook to i7 but you have to pay extra $200 "
and 8 GB or RAM , not only 4
much better GFX with 1024 MB " apple gives you only 512 and much better Asus MOBO
and LG W2753V-PF Black 27" 2ms(GTG) HDMI Full HD 1080P Widescreen LCD Monitor
net cost is 1100 USD so thats almost half the price for imba hardware that can run SL "hackintoch" much better than it can run on the best ibook offerd by MAC and for half the price ..and if i got AMD phoneom x2 or i5 processor and only 4 GB of memory and same gfx as in iBook , it'd have costed me less than 800 USD .
http://www.newegg.com/Product/Product.aspx?Item=N82E16819115212
http://www.hexus.net/content/item.php?item=17080
- by tsinger254 November 11, 2009 10:11 AM PST
- REAL pc users just don't care. Really.
- Like this Reply to this comment
-
(88 Comments)