This document describes Security Update 2007-002, which can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates." Security Update 2007-002- Finder CVE-ID: CVE-2007-0197 Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Mounting a maliciously-crafted disk image may lead to an application crash or arbitrary code execution Description: A buffer overflow exists in Finder's handling of volume names. By enticing a user to mount a malicious disk image, an attacker could trigger this issue, which may lead to an application crash or arbitrary code execution. A proof of concept for this issue has been published on the "Month of Apple Bugs" website (MOAB-09-01-2007). This update addresses the issue by performing additional validation of disk images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.
- iChat CVE-ID: CVE-2007-0614, CVE-2007-0710 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Attackers on the local network may be able to cause iChat to crash Description: A null pointer dereference in iChat's Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for this issue in Mac OS X v10.4 has been published on the "Month of Apple Bugs" website (MOAB-29-01-2007). A similar issue exists in Mac OS X v10.3. This update addresses the issues by performing additional validation of Bonjour messages.
- iChat CVE-ID: CVE-2007-0021 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Visiting malicious websites may lead to an application crash or arbitrary code execution Description: A format string vulnerability exists in the iChat AIM URL handler. By enticing a user to access a maliciously-crafted AIM URL, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. A proof of concept for this issue has been published on the "Month of Apple Bugs" website (MOAB-20-01-2007). This update addresses the issue by performing additional validation of AIM URLs.
- UserNotification CVE-ID: CVE-2007-0023 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Malicious local users may be able to obtain system privileges Description: The UserNotificationCenter process runs with elevated privileges in the context of a local user. This may allow a malicious local user to overwrite or modify system files. A program that triggers this issue has been published on the "Month of Apple Bugs" website (MOAB-22-01-2007). This update addresses the issue by having UserNotificationCenter drop its group privileges immediately after launching.
附注:Apple针对最近的系统提供了安全类的更新,可以通过系统的system update来更新,同时也提供了去官方站点下载,请大家们及时更新,主要修正了Finder,iChat,UserNotification3个问题
點擊進入官方下載界面
[ 本帖最后由 Junne 于 2007-2-27 14:36 编辑 ]
★★★
|
发表于 2007-2-27 14:33
关于我们