Shostack + Friends Blog Archive


Apple Security Update 2005-08

There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data on this update is in “About Security Update 2005-008.”

The very first issue, (CAN-2005-2747) is appropriately ordered: it’s an overflow in GIF interpretation in a (10.4) system library used by Safari. Then there are 2 mail issues, which I don’t rate as critical, a malloc local privilege escalation, and only then are we told about CAN-2005-2747, a buffer overflow in Quickdraw manager, which several important apps rely apon. Yesterday, I stopped reading before number five, thinking we were into local system attacks.

Added 24 Sept: It’s a shame that a company known for usability can’t make these things usable. See also “All Mac Browsers are crap.”

Anyway, time to update.