Tuesday, June 15, 2010

Apple Security Update 2010-004
/ Mac OS X v10.6.4

UPDATED 2010-06-17. Please read item #3 in the summary list below!
June 15th Apple kindly emailed me their list of security fixes in Security Update 2010-004, which in incorporated into the Mac OS X 10.6.4 update. Later in the day Apple posted the full report HERE.

Below is my summary of patches:

1) Three CUPS patches. (Cross-site request forgery; a cupsd bug; a web interface bug).

2) A Desktop Services patch. (Corrects a bug when applying permissions to enclosed items).

3) OOPS! Apple neglected to keep up with Adobe's Flash Player and instead installs the older hacked in-the-wild version! This is a very bad oversight by Apple! If you haven't already, you must DIY install the latest Flash Player update HERE. Be certain to do it NOW.

Thankfully Apple's update installer does not remove an updated version of the Flash Player plug-in. No damage done.

***(The dangerous version of the Adobe Flash Player plug-in is The security patched version is You can check the version at: /Library/Internet Plug-Ins/Flash Player.plugin).

4) A Folder Manager patch. (Repairs a symlink bug).

5) A Help Viewer patch. (Yet-another JavaScript security hole. I hate JavaScript).

6) An iChat patch. (AIM related. Repairs a file path handling bug).

7) An ImageIO patch. (A buffer overflow problem with TIFF files).

8) Three Kerberos patchs. (Buffer overflow; ticket handling bug; KDC request bug).

9) A libcurl patch. (Buffer overflow).

10) Two Network Authorization patches. (A NetAuthSysAgent patch for operation authorization privileges; format string bugs in afp, cifs and smb).

11) An Open Directory patch. (Man-in-the-middle attack via an unprotected server connection).

12) A Printer Setup patch. (Bug in handling a shared printing service).

13) A Printing patch. (Buffer overflow in the cgtexttops CUPS filter).

14) A Ruby patch. (WEBrick bug with a JavaScript security hole. Did I mention I hate JavaScript?)

15) An SMB File Server patch. (An Apple Samba symbolic links bug).

16) A SquirrelMail update. (Cross-site scripting insecurity, among several other problem).

17) A Wiki Server patch. (Cross-site scripting attack security hole).

∑ = 23 security patches.

As of this post, I have not yet installed 10.6.4. Keep an eye on MacFixIt for problem reports.

Before you update, remember to follow the routine: (1) Back up (2) Repair your boot volume, including disk permissions. (3) Download and install the 'Combo' version of the update for best results (4) After reboot, repair your disk permissions again. (Lately Apple have missed cleaning up a number of permissions errors after their updates. Adobe always leaves a permissions mess behind, which will be most certainly be the case with the Flash plug-in update).

No comments:

Post a Comment