Risk

2/12/2009
11:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Apple Drops Major Security Patch

Apple today released a bevy of patches that, by my quick count, fix about 55 bugs in its flagship OS X operating system as well as Java. Fortunately, through Software Update, the patch updates for Java for Mac OS X 19.5 Update 3, and Security UPdate 2009-001, which total 47 MB, went smoothly for this user.

Apple today released a bevy of patches that, by my quick count, fix about 55 bugs in its flagship OS X operating system as well as Java. Fortunately, through Software Update, the patch updates for Java for Mac OS X 19.5 Update 3, and Security UPdate 2009-001, which total 47 MB, went smoothly for this user.While the patches fix nearly 50 security holes, including a number in Java for OS X 10.5 and many of the open source components that provide some of the underbelly of the operating system, it's the Safari RSS flaw that is perhaps the most dangerous to the greatest number of users:

Safari RSS

CVE-ID: CVE-2009-0137 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6

Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution

Description: Multiple input validation issues exist in Safari's handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs. Credit to Clint Ruoho of Laconic Security, Billy Rios of Microsoft, and Brian Mastenbrook for reporting these issues.

Looks like just visiting a maliciously crafted Web site is all that would be needed to nail your system.

More information about the update is available from Apple, right here.

If you haven't yet, run Software Update. Despite the number of fixes, it only took a few minutes for me to patch a Mac Pro and a MacBook Pro.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7268
PUBLISHED: 2018-05-21
MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automation and other products, contains an information exposure vulnerability in which a local unprivileged user is able to read any root (uid 0) owned file on the system, regardless of the file permissions. Confidential information suc...
CVE-2018-11092
PUBLISHED: 2018-05-21
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
CVE-2018-11096
PUBLISHED: 2018-05-21
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
CVE-2018-11320
PUBLISHED: 2018-05-21
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.