Apple - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Apple


Safari Flaws Fixed in Monster Mac OS X Update



 By: Ryan Naraine
2005-08-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Apple story.


Rate This Article:
Poor Best
Apple ships a security update to cover 34 vulnerabilities in Tiger, including phishing flaws in the Safari Web browser.

Apple has shipped a monster security patch for Mac OS X to fix 34 flaws in the operating system and bundled third-party utilities.

The 17MB security update, available through Software Update and Apple Downloads, corrects a wide range of flaws in Mac OS X 10.3.9 (client and server).

Security alerts aggregator Secunia Inc. rated the update as "highly critical" and warned that Mac users are at risk of security bypass, cross-site scripting, data manipulation, data leakage, privilege escalation, denial-of-service and system access attacks.

The update includes two fixes for bugs in the default Safari Web browser that could allow phishing attacks.

Resource Library:
Read more here about recent buffer-overflow patches for Apples Tiger OS.

According to Apple Computer Inc., one of the Safari flaws could lead to the execution of arbitrary commands if a user clicks on a maliciously crafted rich text file from the browser.

"Safari renders rich text content using code that allows URLs to be called directly, which bypasses the normal browser security checks," the company said.

Another Safari flaw could allow information to be inadvertently submitted to the wrong site. "When submitting forms in Safari on an XSL-formatted page, data is sent to the next page browsed," Apple explained, noting that the update ensures the information is submitted correctly.

Three vulnerabilities in Apples implementation of the open-source Apache server are also addressed, including a buffer overflow in the "htdigest" program that could allow remote system compromise.

Another three flaws in "AppKit" are also addressed to correct buffer overflows in the way rich text files are handled. A separate buffer overrun could also allow the execution of arbitrary code when Word documents are read.

Apple also fixed three flaws in the Kerberos network authentication protocol, including one that could lead to system compromise.

"A heap buffer overflow in password history handling code could be exploited to execute arbitrary code on a Key Distribution Center (KDC). This issue does not affect Mac OS X 10.4," the company said.

An Apple "mega patch" plugs 20 holes in Mac OS X. Click here to read more.

The patch also includes fixes for multiple Kerberos buffer overflow vulnerabilities that could result in denial-of-service or remote compromise of a KDC.

The update also includes security patches for flaws in Bluetooth, CoreFoundation, CUPS, Directory Services, HItoolbox, loginwindow, Mail, MySQL, OpenSSL, ping, QuartzComposerScreenSaver, SecurityInterface, servermgrd, servermgr_ipfilter, SquirrelMail, traceroute, WebKit, Weblog Server, X11 and zlib.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Safari Flaws Fixed in Monster Mac OS X Update
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Apple Articles          >>> More By Ryan Naraine
 


x}v6s{)jlmMlcsEBc䐔//{8x|t%, UBPxCggD0pEIv}3齟%ym 4q=*2dx%CtjY)j~,sd3:e pDɛD%x_@jG @.Ss4[s2"׳9Fԗ7F0`p,FmgKzZB'Ajw-ZP8$PKE!ye5ַ0>t@T| p&DF;=a>$E%k4EpH>vn=[zn;B 1s¨!黖xHM-GVekVl"3ș30?Te L4H UHI^tXF?D9z uur<r4GΊܢn?A}mUu#ϙ!z8yIHU &1C Tw<-0;{tX .9ٌ[~i m-J b@)wܽiνoĩqs3yw[7?=Wj>(U? ?4h;XBR/`(.םnG.;[oA@ X_oem#5UJ`Z. I|-DGYu_G5](E~㖯[ K'Y̮gfVҐ gUUYڭމlni]ZWnZgG)7f٘Y j?ؕ΂gxg_:nNOn9nڗ'.9\qəzN0p'S Z_Zr\ރ z&b M u4}GVKyIEu}L2,ewB~9]Czf&j ͒edB_9H]KŗG)H3#Ú M#4ȄSHzPv@Sl ZS G/<@#D55cfM3,egy0AM)61pGv!fByn^){IK ߪz@@rݠPPWT]ϧKdoF" eF"ȅQ.% . g|8JKu9b8ni>U?zXoV͉"]XujmfE?iQw9qj>\NHsোV|߂)WF8 he4scR>MWJPXE@Uj@8ʍ?76m!S[ö@ .SjS+inL>:NPGmtRhx>:ACڴb{\gfc4!D&hϰapy4ڭN-%_ >< z&&z4mP`9`j#e& yG νdrgoMC?F:? a'0.Z- Be^~6axsԧPr` ڝfZc@{@OM\nGpIN3_hy>grGֶLoy@>J|zS.JuΩJJ&k"H\g2)*[hssp- d֌O,r1r@y?T_9XScX`Dw Lz?v&m/n$)L`V|=Ӝw+--$֜ek/ 7Ri_ۛ֙PK}o@x 0K_u/ jQt(>2АT um:\X0,# %>F!1~hϳa2(wnw߱>{jaaC+ wLYZf2잶)Υ_p5O[- V}:Le"6XCji=.#{Os)W]D^BlX.)Uij"yd\8˰De9F3t,˹_M?QɚH`WK- Ӟ@#@2*-ç c"D8th_(+ #G?_vwSzm>FA? %hPj#fJf L`.x8#JrEuX)(J9)` L` T<5&{[= 7 2$/Pk .a@Ck)& SZ`pELs :-UN-I Gz-X]>L, m?`"'t>Ѕڥnssa*73 ZOjZ(T+19ȗUTJs3;~nQet4R:wC~y90w7DFiY8 ^^};݂/r=2:?b + ;3E<&T$M_wr7t%YPIb+ģYބ~ U% 4V8f| O?>a=ECf0&LѦ9 "y@{y:Դ'*BfmBt)D`&~W؇^gm/R9TʚO"sQ3bQX hα{t;bG g  '%|3c’)k+4C 㔁z3MdhHhw?k_ϛ_Qm(}nq&-nf]{m97upl9S#GNQ͕G9X Uljq ͗ AūG:aˤW6nfa`Dh9;@_Jta0&3(ʃzbsuyeY]}v*LKxWJ=zG:/&"m>Us5ѱtNs|?եsg8X$΄,]3a QnaarO0(N%Z*`Җ @Vl䘇%b "8&K8.zKdDrzTjsnG .]oq)%\.UK+Ab259p\Semi;}֏*}zW<h)3P@ZhrGX \ Xߥ{N3 alo 8xYʂnZv` dR,WNM r/0:kzSH=YT\SG~<͠1pS Jxmb6{(}O, Eŵ:i2RBE-) 5CoE71e2X&(%\8 ,^۹~ m.E`1)[z 2ƷʨTASX" .D`7Ϩx3vc.b MYVY,nAyr `1o?#_FIkeD@X)J3dVVU9-_jARϢCsOFl_zĢr tDqd:iԣo!g3." 7Sc5̇uq\狠 R}#0 0 Q@Z'GY`Q.|aR)T~%ɠK= j Ŝ| S nhF^x)GA`?vpg-<92(Ԉ 8fX& 24şc1ynCv? X?Jv$}QLMXޟ9 #;?t%.}MwvH y{ڹI͋Co5S|OM1K0խxѤ"!麫tgL/h!/5g |Or!VYm!slPn4lS/O- V`!fw1d LRha& ǀzB,"q^7?Eǎ:Kyr6P `bT1J?ԟRJM9Q=#ijqə9PIQ):*9Q_[a8kѷo9Aߐ>O1Ok7tE?h[(KhL:`sR;t Ya~:)}BO-N9˙]#i^;o G jE5p!ASBy՚S)Z@c=iCly0;sb")&V9$-0m2l]$<0OMmFS:%I# Iդ,8Ihdy%!h%#bbVH o{ռܜ6<1ަmƙBƗȊ,X-Y+̦#/i\A1p",G7&>k&@Ϣ1 cா S ~]sުg9Gqܘx0u? }EkDI"FZ>ںx*$n@*$T0WenIVQlɯbRTTo{I)?<5ˢ087lLTfځv6^ؗȱ6qC Ĥ>ט.܅"Gz~sHNYo"k9CYR9<cӲvV)'gb&E<]_@f dk; ' _6zf=ыDp]t[W@mZ( )SX9|Lt(PI̽{Mz0w]Bd-.r @>s3Bl4j" L@-(T8MymXi2Dx~?{ ގ"eFُf&jO+b{bM?[4dW;Ub%ޗ,xDdIds+Y$.e%Ɛ^A23*q3mȣR-$C?=st{ \ʄDy*!O|qfhlc\I)Kj~/yo_"˛J 1aQ9έ4= JvDO}'WTv9?zبVQ7+Zesa>N-X0[\B _6 bYƖ/lMxySn*,fYå ) a-wx7~us~cUkleM9D:%UXF/ V|HS%>Vq#~s~s~s~sۻ[KeX}U.N!~`!t]~_5zp"DS#QCQJ|O{"ᰈEBXDZ>νE (A'P6"}+%M;6 i2_Ҁx"j*uN;ٖԂZ,Ϻ)^k`€dx3X0#Ky-g ϼ`g1YcM|!~{mEgӫl2fԄP>s;M$Lx,5aJ+fLA3dU\\*%)BD8x"Oxk1~ +^HlyȄ H Ieez/5LY^y&NK.Hc ǧڪClqT,%C(66;L0Ȝȣ!\lIh} [UߐU_o(Cdtet ÆLTylg;9ksƮE ~#ož+"x7 yT[[l*_UVlZl2О$oMw qL[bd= Tכ7OQ5HӍ$sM7hUc.!8{7~~X67 ~VxrJMv ,XTKtd>OC gMoq'Jゥ/R׻aS@am${5",netͦl1 ƭ?@y u&M]b?O~RJ~n'ֆ|oN\ 4;}^|~ jn`O[dhMaZI e~2Q DC'&U"cMCJ~jRRj Pc0]\#ռRW*YQL9qJ30_#>=wg`zE{z^{ny/T[g=#TXB LcF$"%.`|\J>HP*$6_h"=s` `\z1߾ w5W`ҲBŸ Ya _a᷍lsh<Z:q^aci*qwM[*{=yJ٥B:s3ˎ{^n9z.z{ǰ|oYZ`3+nޖTmmqVҽF Rx 3}$g٦w t KuSi~RB?o$eTb_CqFq{Za,k`Š,irBʇh%=-QӸPtv' <1_+@JLB(jNT\OpYB8!i®Qח]@ah!ۗ+Oa@)p=S1["fR1@Q->nr|vtV$!"eJLLn#B s83DD#^d9Q[$|־ ɜщ}Ӿbb WoP$P +wdc\|9+$%,%R)8T&}fA?pkwSJn67p>9 Z,a&4;`F" N-c8ĭ1d@  21L=kR{7 6t0^Q}1e&L}g)s!aZ;<}Q׏IB uXRFB(6s f`H릧/ u;6u_F`3W VjE)OBӾRs] U8ٯ|iG^ߧx6Uh?X{/g0M蕴B^ϐ!;}^h`>50 }a3br5cѼ:DN;פIN[-p=n_ڝKr:+lkni|ԭ9|:\}:m_ۗ=<fbv>L5mk LideAN/-fL)D{m6Ww^;OK"顱8;/^ُO|;_C)Qe3 \C QW~0`b_)o\jjŵ6vN|vuIcXuԢz h5{Q`1D 'M&7bQ:oH粕i&5+<v<_Q3W(uE5_//?n6Ww9hpZQ~ O>+vq^^>4'+ ?Ӿ\QWs7Z^~Wٮqb|.+/V^b}.+y?/?/V'_~+ϠlE?+/bE9\!?0~+ƯwVY:_:+ V swV_(ey+#\U~WoVެhfE77+/9IҊyʛ+y S*Lhʠ/V_yZUKPB(_/ntVkW+\.d\2ЯB@O1~oenldھ:$R+ ]QUKKD3cn%:X>y3/-"y!6D(nP$Y}MNJ 4tk 7b[yDYAI{R}tEI>tpŴ!&JR˯-7cENikr(%s<2g&g}=U2̑h#{"3ô=QǒG,n#=D>{%?|Ka19NnL(y(G@Kn9ڍ ~SG0nsOkr>ulgxvY^]X;X;Yo%P/IsgecپGh ߂dUd>j{V%Hi0\=<ˌoJ#nAm;] `/{hO'diA]e7P3 !G}z+L 52+ Er)<]SKghWCtJ# g[n;qF`iF_k$NR V˕R}#\#a`}{s5/T$`r|Y9(+PPफ़h[vRjohF>ǡ'N!3pC>&J5F!D`5~L@}ju"_ŗ1 {73/E5/*ጽL/X 1` HTLOcgv=u XI -3?ll{IW1hӐ$#lΒ]j"bؖLC['mS]ƑĹ3 ,E~f&gMcAݡ=G5cx-7:\A.|#; 7kEϮQx}CJ,3˹I Ǝ$z %3b{PN<>x8bYאY,&Jh݄ZsJdBM'KFGCo,QzpU {+2‡MNLZ;6Zd:T7>1qWV@UmÈk 1,xXqe( v='IDπhEMfάP?zG-tz JJ @b %Je^n <},b>"مxދ/! XD=$~1|oloMT*L[3 |qCڼAN,n6eE&PLiUדKAyH,݈ AQ6+yJ>? T|- 5{\6$DR }Jm?'6}F5+Kx|0 j;;5mTeK.Lc(ŬBCd=)O?6'[nN5%Y`1l4ae3 n=ձ wO`7G}޴mޢƈJu A]=_vs?/'_fk ?;a:9Y:}/#s!YX&7I /O: CѰ0K;,l~EG%RXRFmf fE[RjȒ 19,G xI1%h3l䃈mAb ?ic#),c}d)ȏ:|eJlwYU9s, jW6x/yc|>[zw00jPLP9͑ a0*=W7ZK]x-MǎCga+ec~,j胋IȽgz^4}j9]x 0cWPR X -f1%IDb88)ҡCAؚB>eS'@n0L|ٱ d9[\Oօ5.xBG,?ɋ|P byx ^ŧ$VS?xDGjoiih "y EwPvi?v[wmڟT;o!ٍ' ?ֲs`]i֕I9~NfS<:ѵepvu\\z`W٫׳$k0W' hlTz w9{^'-zvm^AHAe1"%+Ʃ>:jO јth;Ya]Ȕ-=9zn`o#,⏮if\P*yrQZXA-Q KK /QS>S2R@Kaóč2f(`v>KlUEQk;,9x%WrU34-P `"cmWիAw. o6cpa Vç&?wSg #]MOYgi*lqxUbWG~=Tx6w~ٹnu]^F_l\?E-Xe'%㍦_x&v҃.cf!:f')h-Ӣ2z*בZ Et~ Z+RbV % |NEbY0 = k*S0F\n)xd"@Łŏ"0/^l3OTRr-F`< ė3K˧Zb,XGt]܄]#+ 8b zt2^7Kǖ-.Y B~35B 1P#Y^P8 tiH',~,,}&0 j6.6hv2[F<8C|=..7.l ˻4G8qupeni`.j0g v ޑ,0{El>|?zi#Lw5jo7^vH 7&<妍e3J\0d#f5<ƷA2hl&,mu3p/ _=v{V(3!7~,!waٰ\vLĎ6;Hzpa-o/T3 _[%+( wd; )Pt~"YIWERV"3?3F/H&=9MnDʕԛN[#(ofo![4f9\ ` S3[pϑB6u8p?QOؼۤbĠ$k;!Zc dY^˞tڼh:L;U?|<Š#-ZQs}J`מzW͓dE[&{b6%Ct F*3]B5_WDH|j|g d,) p360|ar[4Clom'k6_b_/a1PUY(9?$d|J6eQm"' ]'¾4 lSyzqaY"g; 1\?