Tech Talk

[QuickTime 7.3.1 released]

FYI...

QuickTime 7.3.1 released
- http://docs.info.apple.com/article.html?artnum=307176
December 13, 2007
"...CVE-ID: CVE-2007-6166 - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6166
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data"

Download:
> http://www.apple.com/support/downloads/quicktime731forwindows.html
-or-
Use the Apple Software Update icon on your system.

[QuickTime 7.4 released]

FYI...

QuickTime 7.4 released
- http://docs.info.apple.com/article.html?artnum=307301

Download:
> http://www.apple.com/support/downloads/quicktime74forwindows.html
Post Date: January 15, 2008

Apple security updates
- http://docs.info.apple.com/article.html?artnum=61798
Last Modified on: January 15, 2008

- http://isc.sans.org/diary.html?storyid=3852
Last Updated: 2008-01-15 22:09:15 UTC - "...Note that this update does not yet appear to resolve the critical vulnerability reported last week by Luigi Auriemma (VU #112179*)."
* http://www.kb.cert.org/vuls/id/112179

[QuickTime 7.4.1]

FYI...

QuickTime 7.4.1 released
- http://www.apple.com/support/downloads/quicktime741forwindows.html
February 6, 2008 - "QuickTime 7.4.1 addresses security issues and improves compatibility with third-party applications. This release is recommended for all QuickTime 7 users..."
> http://docs.info.apple.com/article.html?artnum=61798
QuickTime 7.4.1
Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista / XP
06 Feb 2008
-------------------------

New: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0778
Last revised: 2/14/2008
Vulnerable software and versions... Apple, Quicktime, 7.4.1, and previous

 

[Mac OS X - Security Update 2008-002]

FYI...

Mac OS X - Security Update 2008-002
- http://docs.info.apple.com/article.html?artnum=307562
March 18, 2008 - "This document describes Security Update 2008-002, which can be downloaded and installed via Software Update preferences*, or from Apple Downloads..."
* http://docs.info.apple.com/article.html?artnum=106704

Apple Downloads:
- http://www.apple.com/support/downloads/
"Security Update 2008-002 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update."

- http://secunia.com/advisories/29420/
Release Date: 2008-03-19
Critical: Highly critical
Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive  information, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...

 

[AirPort Extreme Base Station Firmware 7.3.1]

FYI...

AirPort Extreme Base Station Firmware 7.3.1
- http://support.apple.com/kb/HT1226
19 Mar 2008- "This document describes the security content of AirPort Extreme Base Station Firmware 7.3.1...
Products Affected: Airport Extreme Base Station, Security

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1012

Software updates for Mac OS X are available via:
* Software Update preferences: http://docs.info.apple.com/article.html?artnum=106704
* Apple Downloads: http://www.apple.com/support/downloads/

.

[QuickTime v7.4.5 for Windows]

FYI...

QuickTime v7.4.5 for Windows
- http://www.apple.com/support/downloads/
04/02/2008
"This release is recommended for all QuickTime 7 users..."

QuickTime v7.4.5 for Windows
- http://www.apple.com/support/downloads/quicktime745forwindows.html

Security content of QuickTime 7.4.5
- http://support.apple.com/kb/HT1241

- http://www.apple.com/support/quicktime/

- http://isc.sans.org/diary.html?storyid=4232
Last Updated: 2008-04-03 12:14:28 UTC - "...QuickTime version 7.4.5 which addresses 11 vulnerabilities. Vulnerabilities range from denial of service attacks, information leaks to (of course) remote code execution..."

- http://secunia.com/advisories/29650/
Release Date: 2008-04-03
Critical: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
...Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
Solution: Update to version 7.4.5...

 

[Java for Mac OS X 10.5]

FYI...

Java for Mac OS X 10.5 Update 1
- http://www.apple.com/support/downloads/
This Java for Mac OS X 10.5 Update 1 adds Java SE 6 version 1.6.0_05 to your Mac.


.

[Mac OS X 10.5.3 Update / 2008-003]

FYI...

Mac OS X 10.5.3 Update / 2008-003
- http://www.apple.com/downloads/macosx/apple/macosx_updates/macosx1053update.html
May 28, 2008

Security Updates
- http://support.apple.com/kb/HT1222

Security Update 2008-003 / Mac OS X 10.5.3
- http://support.apple.com/kb/HT1897

- http://secunia.com/advisories/30430/
Release Date: 2008-05-29
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...
Solution: Update to Mac OS X 10.5.3 or apply Security Update 2008-003...

[QuickTime 7.5]

FYI...

QuickTime 7.5
- http://isc.sans.org/diary.html?storyid=4547
Last Updated: 2008-06-10 11:27:16 UTC - "...Apple's security improvements* include fixes for:
- CVE-2008-1581: PICT images can lead to an heap overflow and code execution
- CVE-2008-1582: AAC coded media can lead to code execution
- CVE-2008-1583: PICT images can lead to an heap overflow and code execution
- CVE-2008-1584: Indeo video codec can lead to a stack buffer overflow and code execution - note the fix: "This update addresses the issue by not rendering Indeo video codec content."
- CVE-2008-1585: URL handling of URLs in QuickTime files could lead to attacker controlled application launch and code execution - note the fix: "This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them."
* http://support.apple.com/kb/HT1991

Download:
- http://www.apple.com/quicktime/download/

 

[Security Update 2008-004 and Mac OS X 10.5.4]

FYI...

Security Update 2008-004 and Mac OS X 10.5.4
- http://support.apple.com/kb/HT2163
Last Modified: June 30, 2008
Article: HT2163

Safari 3.1.2 for Mac OS X 10.4.11
- http://support.apple.com/kb/HT2165
Last Modified: June 30, 2008
Article: HT2165

- http://isc.sans.org/diary.html?storyid=4651
Last Updated: 2008-07-01 17:17:35 UTC ...(Version: 2) - "...One thing interesting that is not fixed, is the Apple Remote Desktop vuln..."

 

[Apple Security Update 2008-005]

FYI...

Apple Security Update 2008-005...
- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 08:27:35 UTC - "Apple released their patch overnight... Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at http://www.php.net/ on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code. Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice,  you'll want to PATCH NOW."

- http://support.apple.com/kb/HT2647
August 01, 2008

- http://www.apple.com/support/downloads/
07/31/2008

- http://secunia.com/advisories/31326/
Release Date: 2008-08-01
Critical: Highly critical
Impact: Security Bypass, Spoofing, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...
Solution: Apply Security Update 2008-005...

---

- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 20:06:50 UTC ...(Version: 3) "...UPDATE ...Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness..."

 

[QuickTime v7.5.5 released]

FYI...

QuickTime v7.5.5 released
- http://www.apple.com/quicktime/download/
09.09.2008

QuickTime 7.5.5
- http://support.apple.com/kb/HT3027
September 09, 2008
Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP, SP2, and SP3

- http://isc.sans.org/diary.html?storyid=5014
Last Updated: 2008-09-09 20:28:34 UTC - "...The QuickTime update to 7.5.5 refers to following CVE names:  CVE-2008-3615, CVE-2008-3635, CVE-2008-3624, CVE-2008-3625, CVE-2008-3614, CVE-2008-3626, CVE-2008-3627, CVE-2008-3628, CVE-2008-3629
...All of them are relating to opening "crafted" media files. Read: it's the typical list of input validation failures leading to code execution. You want this one if you have QuickTime installed..."

- http://secunia.com/advisories/31821/
Release Date: 2008-09-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3614
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3615
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3624
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3625
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3626
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3627
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3628
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3629
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3635

- http://www.us-cert.gov/current/#apple_releases_security_updates1

 

[Mac OSX 10.5.5 and Security Update 2008-006]

FYI...

Mac OSX 10.5.5 and Security Update 2008-006
- http://isc.sans.org/diary.html?storyid=5041
Last Updated: 2008-09-15 21:51:39 UTC - "...Apple released OSX update 10.5.5*. Built into 10.5.5 is Security Update 2008-006**, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it. Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases..."

* http://support.apple.com/kb/HT2405
"...Choose Software Update from the Apple menu to automatically check for the latest Apple software via the Internet, including this update..."

** http://support.apple.com/kb/HT3137

- http://www.theregister.co.uk/2008/09/16/apple_security_update_sept/
16 September 2008 - "...Both updates mend DNS security holes in older versions of BIND previously bundled with Apple's software..."

- http://secunia.com/advisories/31882/
Release Date: 2008-09-16
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch ...

 

[Mac OS X Java multiple vulns - update available]

FYI...

Mac OS X Java multiple vulns - update available
- http://secunia.com/advisories/32018/
Critical: Highly critical
Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X
...Some vulnerabilities in Java 1.4.2_16 and Java 1.5.0_13 can be exploited by malicious people to cause a DoS (Denial of Service), to bypass certain security restrictions, disclose system information or potentially sensitive information, or to compromise a vulnerable system...
Solution:
-- Java for Mac OS X 10.4 --
Update to Release 7:
http://www.apple.com/support/downloads/javaformacosx104release7.html
-- Java for Mac OS X 10.5 --
Apply Update 2:
http://www.apple.com/support/downloads/javaformacosx105update2.html ...
Original Advisory: Apple:
http://support.apple.com/kb/HT3179
http://support.apple.com/kb/HT3178

 

[Apple Mac OS X Security Update 2008-007 released]

FYI...

Apple Mac OS X Security Update 2008-007 released
- http://secunia.com/advisories/32222/
Release Date: 2008-10-10
Critical: Moderately critical
Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X...
Original Advisory: Apple Security Update 2008-007:
http://support.apple.com/kb/HT3216

> http://www.apple.com/support/downloads/