macfidelity

Description:

iVPN is an application that makes use of the standards based PPTP VPN server installed with Mac OS X. This VPN server is usually only available on Mac OS X Server and configured through the Server Admin application. iVPN makes it possible to use the same server utility on the client version of Mac OS X.

All you have to do to set it up is to enter the user name and password that you want your VPN clients to use, the IP address range you want to give to your clients and then click start server. iVPN will handle all the other settings and start the VPN server.

iVPN is the GUI that Apple left out.

Links:

• iVPN by MacServe.org.uk

Description:

iSSH is a front-end application to the command line application â ��œsshâ �� �. It provides a quick and easy way to start an SSH connection to a remote computer. You may be asking, â ��œWhatâ �� ��s the point of running SSH without an interactive command prompt (Terminal)?â �� � Well, running SSH in the background will not supply a prompt, but, it will forward ports. This is the main purpose of iSSH. You can set two options with iSSH; which ports to forward to the remote computer, or, to start an SSH SOCKS proxy. The first could be used to forward a VNC connection over SSH and the latter could be used to bypass your workâ �� ��s website filters! Either way, it provides a simple way to start an SSH connection for those who are afraid of the Terminal or just donâ �� ��t need it.

Apple has released a Mac OS X Leopard Security Guide with about 250 pages. The targetgroup are experienced Mac OS Users so if you have never worked with Terminal / ClI it might be not your thing.

Overview:

Chapter 1, â ��œIntroduction to Mac OS X Security Architecture,â �� � explains the infrastructure of Mac OS X. It also discusses the layers of security in Mac OS X.
Chapter 2, â ��œInstalling Mac OS X,â �� � describes how to securely install Mac OS X. The chapter also discusses how to securely install software updates and explains permissions and how to repair them.
Chapter 3, â ��œProtecting System Hardware,â �� � explains how to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect users of the computer.
Chapter 4, â ��œSecuring Global System Settings,â �� � describes how to secure global system settings such as firmware and Mac OS X startup. There is also information on setting up system logs to monitor system activity.
Chapter 5, â ��œSecuring Accounts,â �� � describes the types of user accounts and how to securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication.
Chapter 6, â ��œSecuring System Preferences,â �� � describes recommended settings to secure Mac OS X system preferences.
Chapter 7, â ��œSecuring Data and Using Encryption,â �� � describes how to encrypt data and how to use Secure Erase to verify that old data is completely removed.
Chapter 8, â ��œSecuring System Swap and Hibernation Storage,â �� � describes how to secure your system swap and hibernation space of sensitive information.
Chapter 9, â ��œAvoiding Multiple Simultaneous Account Access,â �� � describes how to avoid fast user switching and local account access to the computer.
Chapter 10, â ��œEnsuring Data Integrity with Backups,â �� � describes the Time Machine architecture and how to securely backup and restore your computer and data.
Chapter 11, â ��œInformation Assurance with Applications,â �� � describes how to protect your data while using Apple applications.
Chapter 12, â ��œInformation Assurance with Services,â �� � describes how to secure your computer services. It also describes how to protect the computer by securely configuring services.

Links:

• Apple Inc.
• Mac OS X Leopard Security Guide

Macworld.com offers a good article about several ways how to handle lockscreen aspects in Mac OS X.

Quote:

If you work with any kind of sensitive material from trade secrets to love letters you’ve probably wished for a way to block access to your Mac the minute you stand up. There are many ways to do this, from the obvious to the obscure. I’ll cover all the methods I know to accomplish this trick. For most of these methods to work, you need to require a password when your Mac wakes from sleep or screensaver mode. To do this, open System Preferences, go to the Security pane, and select the Require Password to Wake This Computer From Sleep or Screen Saver option. Now you’re ready.

A simple way to protect your files when you walk away from your computer is to hit Shift-Command-Option-Q to do a fast logout of your user. Your Mac will go back to the login screen. However, there’s a huge downside to this method’all of your currently-open documents will close, and any running applications will quit prior to the logout. Clearly there must be better alternatives, and there are.

You could also put the computer to sleep. Go to the Apple menu and select Sleep or, if you’re using a laptop, press the power button and choose Sleep from the pop-up dialog. (Note: This is an edit from the originally posted version, where I said to hold the power button down; if you do that long enough, you’ll turn the computer off.) Of course, it takes a bit of time to put a Mac to sleep and to wake it up. You may also have remote users connected to the machine, or some lengthy program running that you’d rather not interrupt. In those cases, this isn’t the ideal solution.

A relatively quick method of locking your Mac while still leaving your programs running is to activate the screen saver using a hot corner . To do this, open the Desktop & Screen Saver System Preferences panel, activate the Screen Saver tab, and click the Hot Corners button. Decide which corner of your screen you’d like to use, then click the corresponding pop-up menu and select Start Screen Saver. Now when it’s time to walk away, just fling your mouse into that corner of the screen, and you’ll trigger the screen saver.

Links:
Macworld-Article

Arstechnica about Five important security apps for Linux, Mac OS X and Windows

Eric Kennedy wrote a good article called
Keeping your Mac locked down: a Mac OS X security primer
about some security aspects while using Mac OS X on arstechnica.

Teaser:

Apple’s approach to security can be a little bewildering at times. It’s a well-trumpeted aspect of the OS, marketed in detail on the website. Mac OS X has integrated smartcard support and Apple has certified the OS under the Common Criteria guidelines; a section of Apple’s developer site is devoted to the subject of security.

At the same time, Apple didn’t offer cryptographically signed software updates until its hand was forced in July 2002. The company is notorious for boiling down release notes for software updates to “provides bug fixes and security updates” (although the separate mailings posted to the security-announce list do tend to offer a little more detail). While other Unix distributions tend to patch holes in open-source code relatively quickly, Apple sometimes delays rolling out a security fix in the open-source components of Mac OS X for months or even years.

The phrase “security through obscurity” gets tossed around from time to time when discussing Mac OS X. The theory is that since Macs still represent a fraction of the available computers on the internet, there’s less of an incentive for virus writers, malware authors, spambot harvesters, Comcast sales reps, and other purveyors of electronic evil to harass and attack the platform. Why target 5 percent of the population when you can get much better results by going after Windows?

Der CCC hat sich mal wieder mit dem Thema Fingerabdrà�cke auseinandergesetzt.

Interessant wie ich finde:

Der CCC Biometrie Artikel

CCC and Schà�ubles Fingerabdruck

ARD Reporter im EDEKA-Test auf YouTube

Heise.de zum Thema CCC und Schà�ubles Fingerabdruck

Zeit.de zum Thema CCC und Schà�ubles Fingerabdruck

Apple released Security Update 2008-002. More informations about the update here

You can get the update in the download section of apple

Quote out of article 307562:

This document describes Security Update 2008-002, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see “How to use the Apple Product Security PGP Key.”

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see “Apple Security Updates.”

Security Update 2008-002

• AFP ClientCVE-ID: CVE-2008-0044Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Accessing a maliciously crafted afp:// URL may lead to an application termination or arbitrary code execution

  Description: Multiple stack buffer overflow issues exist in AFP Client’s handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.

• AFP ServerCVE-ID: CVE-2008-0045Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Cross-realm authentication with AFP Server may be bypassed

  Description: An implementation issue exists in AFP Server’s check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

• ApacheCVE-ID: CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in Apache 1.3.33 and 1.3.39

  Description: Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the Apache web site at http://httpd.apache.org For Mac OS X v10.5, Apache version 1.3.x is only shipped on Server configurations. mod_ssl is also updated from version 2.8.24 to 2.8.31 to match the upgraded Apache; no security fixes are included in the update.

• ApacheCVE-ID: CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421, CVE-2008-0005Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in Apache 2.2.6

  Description: Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting. Further information is available via the Apache web site at http://httpd.apache.org

• AppKitCVE-ID: CVE-2008-0048Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Usage of the NSDocument API to may lead to arbitrary code execution

  Description: A stack buffer overflow exists in the NSDocument API’s handling of file names. On most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.

• AppKitCVE-ID: CVE-2008-0049Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: A local user may be able to execute arbitrary code with system privileges

  Description: A mach port in NSApplication intended for inter-thread synchronization is unintentionally available for inter-process communication. By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize. This issue does not affect systems running Mac OS X v10.5 or later.

• AppKitCVE-ID: CVE-2008-0057Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

  Description: Multiple integer overflow vulnerabilities exist in the parser for a legacy serialization format. By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input. This issue does not affect systems running Mac OS X v10.5 or later.

• AppKitCVE-ID: CVE-2008-0997Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Querying a network printer may cause an unexpected application termination or arbitrary code execution

  Description: A stack based buffer overflow exists in AppKit’s handling of PPD files. By enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files. This issue does not affect systems running Mac OS X v10.5 or later.

• Application FirewallCVE-ID: CVE-2008-0046Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: The German translation of the Application Firewall preference pane was misleading

  Description: The “Set access for specific services and applications” radio button of the Application Firewall preference pane was translated into German as “Zugriff auf bestimmte Dienste und Programme festlegen”, which is “Set access to specific services and applications”. This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.

• CFNetworkCVE-ID: CVE-2008-0050Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: A malicious proxy server may spoof secure websites

  Description: A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue is already addressed in systems running Mac OS X v10.5.2.

• ClamAVCVE-ID: CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728Available for: Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in ClamAV 0.90.3

  Description: Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1. Further information is available via the ClamAV website at www.clamav.net

• ClamAVCVE-ID: CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728Available for: Mac OS X Server v10.4.11Impact: Multiple vulnerabilities in ClamAV 0.88.5

  Description: Multiple vulnerabilities exist in ClamAV 0.88.5 provided with Mac OS X Server v10.4.11, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1. Further information is available via the ClamAV website at www.clamav.net

• CoreFoundationCVE-ID: CVE-2008-0051Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: A local user may be able to execute arbitrary code with system privileges

  Description: An integer overflow exists in CoreFoundation’s handling of time zone data. This may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking on time zone data files. This issue does not affect systems running Mac OS X v10.5 or later.

• CoreServicesCVE-ID: CVE-2008-0052Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Visiting a website could cause files to be opened in AppleWorks

  Description: Files with names ending in “.ief” can be automatically opened in AppleWorks if Safari’s “Open ‘Safe’ files” preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing “.ief” from the list of safe file types. This issue only affects systems prior to Mac OS X v10.5 with AppleWorks installed.

• CUPSCVE-ID: CVE-2008-0596Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: A remote attacker may be able to cause an unexpected application termination if printer sharing is enabled

  Description: A memory leak exists in CUPS. By sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This issue can not result in arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect systems prior to Mac OS X v10.5.

• CUPSCVE-ID: CVE-2008-0047Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution if printer sharing is enabled

  Description: A heap buffer overflow exists in the CUPS interface’s processing of search expressions. If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit to regenrecht working with the VeriSign iDefense VCP for reporting this issue.

• CUPSCVE-ID: CVE-2008-0053, CVE-2008-0882Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges

  Description: Multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5.

• curlCVE-ID: CVE-2005-4077Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Running curl with a maliciously crafted URL may lead to an unexpected application termination or arbitrary code execution

  Description: A one byte buffer overflow exists in curl 7.13.1. By enticing a user to run curl with a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by updating curl to version 7.16.3. Crash Reporter was updated to match the curl changes. This issue does not affect systems running Mac OS X v10.5 or later.

• EmacsCVE-ID: CVE-2007-6109Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Format string vulnerability in Emacs Lisp may lead to an unexpected application termination or possibly arbitrary code execution

  Description: A stack buffer overflow exists in Emacs’ format function. By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution. Further information on the patch applied is available via the Savannah Emacs website at http://cvs.savannah.gnu.org/viewvc/emacs/emacs/src/editfns.c?r1=1.439.2.3&r2=1.439.2.9&view=patch

• EmacsCVE-ID: CVE-2007-5795Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Safe mode checks in Emacs may be bypassed

  Description: A logic error in Emacs’ hack-local-variable function allows any local variable to be set, even if `enable-local-variables’ is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks. The patch applied is available via the Savannah Emacs website at http://cvs.savannah.gnu.org/viewvc/emacs/lisp/files.el?r1=1.937&r2=1.938&sortby=date&root=emacs&view=patch This issue does not affect systems prior to Mac OS X v10.5.

• fileCVE-ID: CVE-2007-2799Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution

  Description: An integer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Colin Percival of the FreeBSD security team for reporting this issue.

• FoundationCVE-ID: CVE-2008-0054Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Usage of the NSSelectorFromString API may result in an unexpected method being called

  Description: An input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name. This issue does not affect systems running Mac OS X v10.5 or later.

• FoundationCVE-ID: CVE-2008-0055Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: A local user can interfere in other users’ file operations and may be able to obtain elevated privileges

  Description: When performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This creates a race condition during which a local user can manipulate the directory and interfere in subsequent operations. This may lead to a privilege escalation to that of the application using t he API. This update addresses the issue by creating directories with restrictive permissions. This issue does not affect systems running Mac OS X v10.5 or later.

• FoundationCVE-ID: CVE-2008-0056Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Programs using the NSFileManager API could be manipulated to execute arbitrary code

  Description: A long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. Presenting a specially crafted path to a program using NSFileManager could lead to the execution of arbitrary code. This update addresses the issue by ensuring a properly sized destination buffer. This issue does not affect systems running Mac OS X v10.5 or later.

• FoundationCVE-ID: CVE-2008-0058Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Visiting a maliciously crafted website may lead to a denial of service or arbitrary code execution

  Description: A thread race condition exists in NSURLConnection’s cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection. This update addresses the issue by removing an unsynchronized caching operation. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Daniel Jalkut of Red Sweater Software for reporting this issue.

• FoundationCVE-ID: CVE-2008-0059Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

  Description: A race condition exists in NSXML. By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML. This issue does not affect systems running Mac OS X v10.5 or later.

• Help ViewerCVE-ID: CVE-2008-0060Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Accessing a maliciously crafted help: URL may lead to arbitrary Applescript execution

  Description: A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript. This update addresses the issue by performing HTML escaping on the URL data used in help topic lists before building the generated page. Credit to Brian Mastenbrook for reporting this issue.

• Image RawCVE-ID: CVE-2008-0987Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

  Description: A stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5. Credit to Clint Ruoho of Laconic Security for reporting this issue.

• KerberosCVE-ID: CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, CVE-2008-0063Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in MIT Kerberos 5 may lead to an unexpected application termination or arbitrary code execution with system privileges

  Description: Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issues and the patches applied is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ CVE-2008-0062 and CVE-2008-0063 do not affect systems running Mac OS X v10.5 or later. CVE-2007-5901 does not affect systems prior to Mac OS X v10.4.

• libcCVE-ID: CVE-2008-0988Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Applications that use the strnstr API could be vulnerable to a denial of service

  Description: An off by one issue exists in Libsystem’s strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Mike Ash of Rogue Amoeba Software for reporting this issue.

• mDNSResponderCVE-ID: CVE-2008-0989Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: A local user may be able to execute arbitrary code with system privileges

  Description: A format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string. This issue does not affect systems prior to Mac OS X v10.5.

• notifydCVE-ID: CVE-2008-0990Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: A local user may be able to deny access to notifications

  Description: notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel. This issue does not affect systems running Mac OS X v10.5 or later.

• OpenSSHCVE-ID: CVE-2007-4752Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: A remote attacker may be able to execute arbitrary code with elevated privileges

  Description: OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7. Further information is available via the OpenSSH website at http://www.openssh.org/txt/release-4.7

• pax archive utilityCVE-ID: CVE-2008-0992Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Running the pax command on a maliciously crafted archive may lead to arbitrary code execution

  Description: The pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5.

• PHPCVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in PHP 5.2.4

  Description: PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

• PHPCVE-ID: CVE-2007-3378, CVE-2007-3799Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in PHP 4.4.7

  Description: PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/

• Podcast ProducerCVE-ID: CVE-2008-0993Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Podcast Capture exposes passwords to other local users

  Description: The Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe. This issue does not affect systems prior to Mac OS X v10.5. Credit to Maximilian Reiss of Chair for Applied Software Engineering, TUM for reporting this issue.

• PreviewCVE-ID: CVE-2008-0994Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Saving to encrypted PDF in Preview produces files that may be read without the password

  Description: When Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.

• PrintingCVE-ID: CVE-2008-0995Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Printing to encrypted PDF produces files that may be read without the `open’ password

  Description: Printing to a PDF file and setting an ‘open’ password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4. This issue does not affect systems prior to Mac OS X v10.5.

• PrintingCVE-ID: CVE-2008-0996Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Printing to an authenticated print queue may disclose login credentials

  Description: An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5.

• System ConfigurationCVE-ID: CVE-2008-0998Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: A local user may be able to execute arbitrary code with system privileges

  Description: The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects.

• UDFCVE-ID: CVE-2008-0999Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown

  Description: A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems. This issue does not affect systems prior to Mac OS X v10.5. Credit to Paul Wagland of Redwood Software, and Wayne Linder of Iomega for reporting this issue.

• Wiki ServerCVE-ID: CVE-2008-1000Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: A user with access to edit wiki content may be able to execute arbitrary commands as the wiki server

  Description: A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of CORE Security Technologies.

• X11CVE-ID: CVE-2007-4568, CVE-2007-4990Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11Impact: Multiple Vulnerabilities in X11 X Font Server (XFS) 1.0.4

  Description: Multiple vulnerabilities exist in X11 X Font Server (XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security These issues are already addressed in systems running Mac OS X v10.5.2.

• X11CVE-ID: CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, CVE-2007-5269Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in X11’s libpng 1.2.8

  Description: The PNG reference library (libpng) is updated to version 1.2.24 to address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html This issue affects libpng within X11. It does not affect systems prior to Mac OS X v10.5.

• • X11CVE-ID: CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2Impact: Multiple vulnerabilities in the X11 server

    Description: Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server. This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend. This update fixes the issue by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

ui…quite impressive list. Lets see if that solved my AFP problem hehe

Found that link via daringfireball.net
Quote:

Security vs. Privacy

If there’s a debate that sums up post-9/11 politics, it’s security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It’s the battle of the century, or at least its first decade.

Read the full story here

Apple has included a, lets call it strange, security feature in 10.5

Basically they flag files you have donwloaded from the web as quarantined. This means a dialog pops up the first time you launch/execute or whatever this file.

In some special cases this behavior could repeat itself with each file launch, but thats not the supposed way. It should only happen if the re-flag as un-quarantined does not work.

But back to the main topic. While this feature could make sense for usual users it just annoys me personally.

I was searching and finally found this article at http://henrik.nyh.se

A Vista-esque feature of OS X Leopard is that it tags web downloads (not just from Safari) as such and then warns you about running downloaded apps or scripts. Archived (e.g. zipped) files inherit the tag from their tagged container.

This is an annoyance to power users. Luckily, being a power user, I can do something about it.

Read the full article here.

Solution is based on Apple Script and Action Scripting/Folder Actions