Technical Tidbits

I just received a notice from Cert about an advisory for an Apple Mac OS X vulnerabilty.  You know that software and computer that doesn’t need anti-virus because it’s so secure? Yeah! Those guys! (And yes, I’m in one of my smart a** moods today!)

The systems affected are:

• Apple Mac OS X versions prior to and including 10.4.11 (Tiger) and 10.5.4 (Leopard)
• Apple Mac OS X Server versions prior to and including 10.4.11 (Tiger) and 10.5.4 (Leopard)

Apple has released a security update for those computers that are so secure and never have any issues with security here: http://support.apple.com/kb/HT3137

But I’m sure the majority of Mac users won’t need this because after all, they are already secure.

The security update fixes several vulnerabilities that Mac users don’t really have.  The Cert Advisory claims that:

Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service.

Among the list of fixes listed at Apple, we see the following vulnerabilities being fixed:

• Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
• Multiple vulnerabilities exist in ClamAV 0.92.1, the most serious of which may lead to arbitrary code execution.
• A person with access to the login screen may be able to list user names
• A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.
• An attacker with access to the local network may cause a denial of service.
• Viewing a maliciously crafted TIFF, PICT, or JPEG image may lead to an unexpected application termination or arbitrary code execution. (Is unexpected application termination another name for a crash? No, it can’t be! Everyone knows Mac’s don’t crash!)
• Files may be accessed by a local user who does not have the proper permissions.
• A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks.
• A user may log in without providing a password.
• A person with access to the login screen may be able to change a user’s password.
• mDNSResponder is susceptible to DNS cache poisoning and may return forged information.
• Multiple vulnerabilities exist in OpenSSH versions provided with Mac OS X v10.4.11 and Mac OS X v10.5.4, the most serious of which allows a local user to control another user’s X11 session.
• A local user may obtain the PPP password.
• Users may be misled into believing their passwords are stronger than they are.
• Authenticated users may have unexpected remote access to files and directories.
• Backing up a system with Time Machine may lead to the disclosure of sensitive information.
• Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution.
• A remote attacker may cause persistent JavaScript injection on a Wiki server.

Welcome to the REAL world Mac users! The real world PC users are familiar with where nothing is taken for granted in terms of security.

You know what? You folks are looking more and more like a PC in terms of security! I’m sure glad I didn’t spend big money on your really secure machine that doesn’t need Antivirus because it’s SO secure! DANG! That would’ve really ticked me off!

And for those of you who are wondering why I’m being such a smart a**, you have no idea how many times I’ve been told in our courses that Apple Mac users don’t need to know about security because their machine is so secure it doesn’t even need Antivirus. And if I had a dollar for every Mac user in my security courses that have told me that the sales staff at the Mac store have told them this is so, I wouldn’t be looking at employment options right now!

In fact, if all PC and Mac users would realize that security is THEIR responsibility, I’d sell out every one of our courses we’ve offered during our Anniversary special! Am I in a bad mood? Yes I am. And the reason? Because I’m sick and tired of people telling me that nothing is every going to happen to them until it does. And then they come crying to me to fix their computer after the hack or malware attack, or the identity breach!

In fact, just this week, I had two family members inform me their identity has been breached! Which p*sses me off even more! This is what I teach! But not even my own family thinks it will happen to them after they hear me talk about it! But that’s a conversation for tomorrows blog entry.

Go update your MAC!

written by Admin \\ tags: apple, leopard, Mac, mac os x, mac security, mac vulnerabilities, pc security, Security, tiger