If you own a Mac, get patching.
And you thought it was just Microsoft products that needed to be patched.
Apple have announced the release of update 10.4.8 for 10.4 users and Security Update 2006-006 for 10.3 users.
I don't normally bother posting such notices, but a couple of things here caught my eye, and I have to say that any OSX users reading this need to update to the appropriate patch level as a matter of extreme urgency.
CFNetwork
CVE-ID:
CVE-2006-4390
Impact: CFNetwork
clients such as Safari may allow unauthenticated SSL sites to appear as authenticated.
Description:
Connections created using SSL are normally authenticated and encrypted. When encryption is
implemented without authentication, malicious sites may be able to
pose as trusted sites. In the case of Safari this may lead to the
lock icon being displayed when the identity of a remote site
cannot be trusted. This update addresses the issue by
disallowing anonymous SSL connections by default. Credit to Adam
Bryzak of Queensland University of Technology for reporting this
issue.
Ouch. Seems like a big Phisherman's friend to me. After all, you don't need to supply a cert and the few users who know about SSL will be happy just to see the SSL lock appear. Hmmm. Any Mac using readers think their bank website looked a little odd when you were replying to their latest email?
ImageIO
CVE-ID:
CVE-2006-4391
Impact: Viewing a
maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution
Description: By
carefully crafting a corrupt JPEG2000 image, an attacker can trigger a buffer overflow which may lead to
an application crash or arbitrary code execution. This
update addresses the image by performing additional validation
of JPEG2000 images. This issue does not affect systems prior
to Mac OS X v10.4. Credit to Tom Saxton of Idle Loop Software
Design for reporting this issue.
I'm fairly sure I've seen something akin to this somewhere else you know. Think Robert... think... Oh well, it'll come to me, I'm sure.
It's not all about Apple though. Seems Microsoft have a few interesting problems of their own, not to mention being accused of handling them in an interesting way. If you're an Apple MS Office user, note that the issues behind those links apply to you too and act accordingly. It takes a special kind of mistake to exist on five different versions of a piece of software over two totally different platforms.
I really hope the NIST story about Microsoft's handling of this is untrue, by the way. If it's true, it's a slap in the face for the AV
community which has been in place long before Microsoft decided to muscle in.
It's a slap in the face for Windows users - aka Microsoft's entire
customer base, punishing them for not buying AV with an unknown (at best)
pedigree from Microsoft, and let's not forget, it undermines the security and
reputation of Microsoft's own platform.
It makes no sense for it to be true (which of course didn't stop WGA being invented...).
Therefore it's either not true (or at least not the whole
story) or it's an absolute disgrace, labelling any claims of "trustworthy
computing" to be a joke and placing Microsoft's approach to
security only a few steps above Sony's reputation for trustworthy music CDs
that don't try to root your computer every time you listen to them. BTW, I'm still not buying Sony since that event. Neither should you.