Sunday, January 10, 2010 at 12:42PM Apple has released an update of Bonjour which improves the reliability of iTunes and Apple TV. Apple TV would disappear from the iTunes library and would not be available via Bonjour networking. This update will install on server and does not require a restart.
Sunday, January 10, 2010 at 10:51AM There is a proof of concept (POC) related libc/strtod and dtoa.c implementation in BSD which Apple is aware of for over six months. MacOSX is a hybrid kernel based on Mach 3.0 and FreeBSD, so yes it is BSD. This makes it susceptible to various bugs and exploits that also can affect BSD implementations. SecurityReason.com has posted a security alert and the POC code related to the buffer overflow on BSD indicating that it could result in DOS (System Crash) or malisious code execution. They have also included Mac OSX in this alert along with the POC posted.
Fig. 1
The execution of arbitrary code cannot be accomplished using the printf function on the heap as stated on Securityreason.com, they maintain that MacOSX may be vulnerable. I have test the and other functions such as asprintf, vprint and sprintf. (Fig. 1) Open BSD and Mac OSX do ship with Executable Space Protection which does prevent the execution of code on the heap. Code does not need to execute on the heap but it is a far less labor intensive and and a reliable approach for attackers. Calls can be made back to libraries, this allows a buffer overflow a way around Executable Space Protection. (Return to libc is common method.)
The best defense to these kinds of exploits is to only install software from trusted sources, check the sources and do not run them as an admin user. For day to day task (Word Processing, Web, Mail, etc.) you should never be logged in as a privileged user. From a development standpoint secure coding practices are important. Lack of verification and validation can lead to a host of errors, secure development process should be used. Still, there is plenty of poorly written code that miss handles memory, validation and verification. If you do not trust the source for any reason you should not install the software.
Thursday, January 7, 2010 at 10:50PM Critical buffer overflow vulnerabilities exist in Adobe Illustrator CS4 (14.0.0) and Adobe Illustrator CS3 (=<13.0.3) on the Macintosh and Windows platforms which can lead to malicious code execution. The update process for the Mac requires you to alter the Package contents. Incase you do not realize an Application on the Mac is actually a Package (folder) which contains the contents of the application. You can open Terminal and cd into any application to view the contents. In Terminal you can use "open ." to open the folder in viewer.
Users and Administrators should perform the update as described in the attached reference. It does not use the Adobe Updater proving that there is much work that needs to be done by Adobe to improve the process.
Wednesday, January 6, 2010 at 08:47PM Mac OSX server uses SpamAssassin to filter inbound spam for mail services. SpamAssissin increases the score on legitimate 2010 messages resulting in the messages being marked as spam. Apple has two resolutions, the first is to disable the date rule by editing "/etc/mail/spamassassin/local.cf". Apple's support document uses vi, I like nano so you can replace the sudo vi with sudo nano <fileName> or set the EDITOR value in your .profile file.
The second solution is change the date rule for scoring on future dates by doing the following.
Many administrator customize the SpamAssassin settings so any other date related flags must be checked. The change in the decade has resulted in several decade based bugs in various sofware packages on multiple platforms.
Wednesday, January 6, 2010 at 12:10AM Users should update to Firefox 3.5.7 which address performance and security issues. This includes an issue related to DNS resolution in MakeSN and nsAuthSSPI which resulted in proxy servers failing to resolve hosts. In addition the user notification of major updates has been improved.
