Security Update 2005-003 Released

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,464
8,522
Now available via Software Update:
Security Update 2005-003 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:AFP ServerBluetooth Setup AssistantCoreFoundationCyrus SASLFolder permissionsSafariSambaFor detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798
Further details can be found at http://docs.info.apple.com/article.html?artnum=301061.The previous Mac OS X Security Update was released February 22.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
36,052
3,279
Los Angeles
Changes described:

AFP Server
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0340
Impact: A specially crafted packet can cause a Denial of Service against the AFP Server.
Description: A specially crafted packet will terminate the operation of the AFP Server due to an incorrect memory reference.

AFP Server
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0715
Impact: The contents of a Drop Box can be discovered.
Description: Fixes the checking of file permissions for access to Drop Boxes. Credit to John M. Glenn of San Francisco for reporting this issue.

Bluetooth Setup Assistant
Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
CVE-ID: CAN-2005-0713
Impact: Local security bypass when using a Bluetooth input device.
Description: The Bluetooth Setup Assistant may be launched on systems without a keyboard or a preconfigured Bluetooth input device. In these cases, access to certain privileged functions has been disabled within the Bluetooth Setup Assistant.

Core Foundation
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0716
Impact: Buffer overflow via an environment variable.
Description: The incorrect handling of an environment variable within Core Foundation can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by correctly handling the environment variable. Credit to iDEFENSE and Adriano Lima of SeedSecurity.com for reporting this issue.

Cyrus IMAP
Available for: Mac OS X Server v10.3.8
CVE-ID: CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015, CAN-2004-1067
Impact: Multiple vulnerabilities in Cyrus IMAP, including remotely exploitable denial of service and buffer overflows.
Description: Cyrus IMAP is updated to version 2.2.12, which includes fixes for buffer overflows in fetchnews, backend, proxyd, and imapd. Further information is available from http://asg.web.cmu.edu/cyrus/download/imapd/changes.html.

Cyrus SASL
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2002-1347, CAN-2004-0884
Impact: Multiple vulnerabilities in Cyrus SASL, including remote denial of service and possible remote code execution in applications that use this library.
Description: Cyrus SASL is updated to address several security holes caused by improper data validation, memory allocation, and data handling.

Folder permissions
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0712
Impact: World-writable permissions on several directories, allowing potential file race conditions or local privilege escalation.
Description: Secure folder permissions are applied to protect the installer's receipt cache and system-level ColorSync profiles. Credit to Eric Hall of DarkArt Consulting Services, Michael Haller (info@cilly.com), and (root at addcom.de) for reporting this issue.

Mailman
Available for: Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0202
Impact: Directory traversal issue in Mailman that could allow access to arbitrary files.
Description: Mailman is a software package that provides mailing list management. This update addresses an exposure in Mailman's private archive handling that allowed remote access to arbitrary files on the system. Further information is available from http://www.gnu.org/software/mailman/security.html.

Safari
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0234
Impact: Maliciously registered International Domain Names (IDN) can make URLs visually appear as legitimate sites.
Description: Support for Unicode characters within domain names (International Domain Name support) can allow maliciously registered domain names to visually appear as legitimate sites. Safari has been modified so that it consults a user-customizable list of scripts that are allowed to be displayed natively. Characters based on scripts that are not in the allowed list are displayed in their Punycode equivalent. The default list of allowed scripts does not include Roman look-alike scripts. Credit to Eric Johanson (ericj@shmoo.com) for reporting this issue to us. More information is available here.
 

J@ffa

macrumors 6502a
Jul 21, 2002
656
16
Behind you!
Wow, this made my mac feel much snappier!

Wait, I haven't installed it yet. :p

Seriously though, that's quite a big whack of updates. Is this any indication of Apple cleaning house before Tiger comes out, or just coincidental?
 

PlaceofDis

macrumors Core
Jan 6, 2004
19,232
4
J@ffa said:
Wow, this made my mac feel much snappier!

Wait, I haven't installed it yet. :p

Seriously though, that's quite a big whack of updates. Is this any indication of Apple cleaning house before Tiger comes out, or just coincidental?
id say just coincidental because security updates will still be released for old OSes after Tiger comes out
 

redeye be

macrumors 65816
Jan 27, 2005
1,138
0
BXL
just finished the update.
The adiumX menu bar icon does not work anymore. Adium itself does work without a problem. I'll try repairing permissions.

EDIT: permissions look ok according to Disk Utility...
 

vancenase

macrumors member
Jun 23, 2003
34
0
[gratuitous reply]

the third update this year?!? my gosh! why does Apple release so many updates?

[/gratuitous reply]
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
36,052
3,279
Los Angeles
I'm glad Apple added a feature to identify sneaky URLs that use other scripts to make a URL look like a well-known one.

Here is a sample of a URL containing an imposter letter "a":

http://www.аpple.com/

That is not a Latin-1 letter "a" in the word "apple". Instead, it is a Cyrillic lowercase a and there is a non-Apple website at that URL. The entity used is: & # 1 0 7 2 ;

You might be fooled by this URL before you apply this Security Update but should not be fooled afterwards, because the URL in your Address Bar will show as "www.xn--pple-43d.com/" instead of as "www.apple.com".

You can use the link above, before and after you update, to test how the change works.
 

timnosenzo

macrumors 6502a
Jun 21, 2004
889
0
ct, us
Doctor Q said:
I'm glad Apple added a feature to identify sneaky URLs that use other scripts to make a URL look like a well-known one.

Here is a sample of a URL containing an imposter letter "a":

http://www.?pple.com/

That is not a Latin-1 letter "a" in the word "apple". Instead, it is a Cyrillic lowercase a and there is a non-Apple website at that URL.

You might be fooled by this URL before you apply this Security Update but should not be fooled afterwards. You should be able to use this post to test how the change works.
whoa, that's a little scary! :eek:
 

PlaceofDis

macrumors Core
Jan 6, 2004
19,232
4
redeye_be said:
just finished the update.
The adiumX menu bar icon does not work anymore. Adium itself does work without a problem. I'll try repairing permissions.

EDIT: permissions look ok according to Disk Utility...
i would toggle this feature off and then back on, because its working without a problem over here for me
 

munkle

macrumors 68030
Aug 7, 2004
2,580
0
On a jet plane
Nice to see issues being dealt with why still no solution to the 'pop-under' probs? I've only encountered this once but it's been a known issue for awhile now...
 

DPazdanISU

macrumors regular
Mar 15, 2004
173
0
Near Chicago
munkle said:
Nice to see issues being dealt with why still no solution to the 'pop-under' probs? I've only encountered this once but it's been a known issue for awhile now...
they pop under not over so who cares? :eek: ;)
 

nagromme

macrumors G5
May 2, 2002
12,551
1,186
Optimizing/prebinding

auxplage said:
when it says "optimizing HD", what exactly is going on during that process?
"Optimizing" means the same thing as "prebinding":

A dynamic library is just a big collection of functionality that the application can use to implement whatever features it needs. *When an application dynamically loads a library, it has to find all of the chunks of functionality before it can use them. * Each bit of functionality-- each function, class, constant, global variable, or whatever-- is represented by a symbol. ...

When an application or dynamic library is prebound, it means that the application or dynamic library contains a cache of all of the symbols it needs in an already bound state. *When the application is launched, it automatically uses this information cache such that all symbols are bound without having to go through the arduous task of binding each symbol individually."


All about prebinding:
http://radio.weblogs.com/0100490/stories/2002/08/24/prebindingExplained.html
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,595
142
Bergen, Norway
MacBandit said:
I've been having the same problem with a new form of pop-unders with Safari and Firefox both seem to be vulnerable. There is a possibility that one of the nightly builds of Firefox has fixed this as I haven't been running the nightly builds.
Are you sure, I haven't had one single pop-up or -under since I "switched" to Firefox last November, not one single one! When the reports of pup-unders started emerging a month ago (or so) I visited every single site where Safari users reported pop-unders and Firefox took care of every single one... I've yet to see a site that cracks the pop-up blocker in Firefox, even if I've tried...please give me examples of sites that trigger a pop-up or -under in Firefox...