Saturday, August 2, 2008

The Apple Blog (2 сообщения)

 rss2email.ruНа что подписаться?   |   Управление подпиской 

  RSS  The Apple Blog
The Apple Blog, published by and for the day-to-day Apple user, is a prominent source for news, reviews, walkthroughs, and real life application of all Apple products.
http://theappleblog.com
рекомендовать друзьям >>


  • Security Update 2008-05 : DNS Flaw Finally Fixed

    Apple released Security Update 2008-05 which contains fixes for:

    • an Open Scripting Architecture (CVE-2008-2830) privilege elevation issue [10.4/10.5 Workstation & Server]
    • a filename handling issue in CarbonCore (CVE-2008-2320) which may lead to an application Denial of Service (DoS) or arbitrary code execution [10.4/10.5 Workstation & Server]
    • a web-exploitable CoreGraphics issue (CVE-2008-2321) that could lead to application DoS or arbitrary code execution [10.4/10.5 Workstation & Server]
    • another CoreGraphics issue (CVE-2008-2322) with PDF rendering, leading to application DoS or arbitrary code execution [10.4/10/5 Workstation & Server]
    • an issue with DataDetectors (CVE-2008-2323) where maliciously crafted content could lead to an application DoS [10.5 Workstation & Server]
    • a really cool permissions issue with Disk Utility (CVE-2008-2324) that would have allowed local users to act with system privileges [10.4 Workstation & Server]
    • an issue with OpenLDAP (CVE-2008-2952) where an attacker could have created an application DoS [10.4/10.5 Workstation & Server]
    • another DoS potential in OpenSSL (CVE-2007-5135) if maliciously crafted bad packets are processed [10.4/10.5 Workstation & Server]
    • five PHP 5 fixes [10.5 Workstation & Server]
    • a QuickLook issue with Microsoft Office documents (CVE-2008-2325) causing either an application DoS or arbitrary code execution [10.5 Workstation & Server]
    • two rsync vulnerabilities that may result in data access outside the module root [10.4/105 Workstation & Server]

    The “big daddy” of this update is a fix for the DNS cache poisoning problem that has been in the Apple and general tech & security news recently. This is a pretty severe issue as DNS is the backbone of how systems & application get IP addresses from host names (so they know where to send you on the Intenet), and the ability to corrupt those databases means you really cannot trust where your network packets are going. Apple is the last major vendor to release a fix for this flaw and rightfully deserves some flack for it since they could have deployed the patch on July 8th with the majority of the other vendors, but chose to wait until this update bundle was ready to release.

    OS X Server is the most likely candidate for actually running BIND (the process that manages DNS on a system) and you need to patch IMMEDIATELY if you are using it. It takes a bit of work to do this on plain-old Mac OS X, but you should run the update as soon as possible as well (especially for some of the other fixes).

    A gaping hole still exists in OS X 10.3 and below you will need to do a bit of work (download, compile & install the package from the ISC by hand) if you are still running those systems and hosting DNS . While supporting older operating system releases presents a real challenge to companies like Apple & Microsoft, it is not unreasonable to expect there to be a decent number of 10.3 systems in the wild that need tending to and Apple should have done more to ensure coverage for those installations (or at least have provided a series of steps one could take to fix the issue).

    Apple clearly dropped the ball here and has called into question their true commitment to security on their OS X platform or at least their ability to react quickly given all of the efforts they have in play. One also needs to remember that a version of OS X runs on the iPhone, iPhone 3G and iPod Touch and it is unclear whether the issues with CoreGraphics and DataDetectors exist on those platforms as well. It is much more difficult to both issue firmware updates and ensure decent update coverage with those mobile devices and Apple may need to come up with a way to deploy critical security fixes over-the-air directly to them rather than force consumers to do a full sync/update to remain secure.

    The security update should show up in Software Update and is also available via direct download from Apple.

    Let TAB readers know your take on how Apple handled this situation by dropping a note in the comments!


    Переслать  


  • Tales From The Command Line: What's Going On? (lsof)

    As mentioned in the previous installment, there is a very useful command buried deep within the confines of your OS X terminal. This command - lsof (LiSt Open Files) - is like the Swiss Army knife of utilities, proving information on files, directories, volumes and even what is happening on the network. Unlike iftop, lsof does not require any downloads. Simply open up a Terminal.app session and enter: lsof.

    Give that command a minute to run and prepare to be overwhelmed with information in a cryptic, textual, tabular format. The command, used in that way, is actually pretty useless (from an interactive standpoint). Its true power becomes unleashed with the proper command-line options, execution privileges and when grouped with some other command-line-fu. After the small primer in this post, you should be well equipped to figure out what applications are talking on the network, what files your applications have open and what is keeping your volumes from being able to be ejected.

    Before we begin, it may be a bit confusing when a utility that claims to list open files can provide information on network traffic. You have to remember that in OS X (UNIX-like systems in general) an open file may be a regular file, a directory, a block special (enables communication with device drivers) file, a character special (facilitates communication with a device one character at a time) file, a library, a stream or a network file (i.e. a network connection).

    The examples in this post also make heavy use of CLIX (Command Line Interface for OS *X*). As you’ll see, lsof output can be a bit much for those just getting started with Terminal.app and CLIX provides a nice wrapper around the OS X command line utilities and allows you to keep similar commands organized with a much friendlier output window than the Terminal. It comes with an amazing set of pre-built command libraries that are well worth the time to go through. You will come away with a great education on the innards of OS X.
    (more…)


    Переслать  





rss2email.ru       отписаться: http://www.rss2email.ru/unsubscribe.asp?c=6893&u=24004&r=311667163
управлять всей подпиской: http://www.rss2email.ru/manage.asp