Safari 3.0.1 fixes three flaws – what about the others?

The recent Safari update version 3.0.1 includes fixes for the following issues in Beta release:

Protocol Handler issue reported by Thor Larholm, CVE-2007-3186
DoS-type race condition issue reported by Aviv Raff, CVE-2007-3185
HTML handling issue reported by David Maynor, CVE-2007-2391

It took not many days to release a fixed version, but there are many other vulnerabilities reported in Safari 3.0 Beta (for Windows and OS X) too.

But the download link of Safari 3.0.1 Public Beta is


No MS advisories? Apple to the rescue

Apple has released a “megapatch” that plugs 45 different security holes, these security holes range from vulnerabilities in Apple’s image viewing programs, vulnerabilities in the kernel, vulnerabilities in MySQL server, vulnerabilities in their AppleTalk network protocol and finally vulnerabilities in OpenSSH.

More details can be found here.


Apple fixed four issues of MoAB

Apple has released fixes for four vulnerabilities reported by Month of Apple Bugs (aka MoAB) in January.

The issues are buffer overflow in Finder when handling volume names, null pointer dereference in iChat’s Bonjour when handling drafted messages, format string vulnerability in iChat (related to AIM URL handler) and problem “UserNotificationCenter process running with elevated privileges in the context of a local user”.

Link to the advisory here:


Apple: We have a fix for MOAB-01-01-2007!

Apple has released a fix for QuickTime rtsp:// URL Handler Stack-based Buffer Overflow – aka MOAB-01-01-2007.

There is no any other fixes included to Security Update 2007-001, link here:

As we can see the ‘MOAB-01-01-2007′ was disclosed on 1st Jan as the very first Month of Apple Bugs advisory.

It is worth of noticing that Windows versions and below are affected too.

Juha-Matti Laurio


Mac’s iAdware – not blocked by Security Update 2006-007

There have been some erroneous forum discussions that Apple’s Security Update 2006-007 released last week will block the Mac ad/spyware iAdware (or OSX/Cosmac).

The update – and the Install component – doesn’t prevent iAdware from working.

The PoC was originally listed here:

-> Advisory #44, “Macrocosm.tar.gz – ‘Macrocosm (detected as OSX.PopUp.gen

KF has posted the answer to Bugtraq list too.


Mac OS X 10.4 Security Checklist

Well, I know that this is a bit of a shameless plug, but I also think that it’ll help out anyone who tasked with securing OS X in any way or form. I’ve just finished working with a bunch of guys on putting this checklist together for the SANS S.C.O.R.E section on their website, so take a look and I hope it helps someone out. It covers all the basic parts of securing OS X, and is more than sufficient to get a lot of people started, and to end up with a much more secure OS X installation.

Any comments highly appreciated.


My name is Macarena and I’m PoC virus for OS X

The fact is that it is not so often when malware for Mac systems come to public.

There is new information about Proof of Concept virus for Macintosh systems available. From the new writeup:

Infects other files when they are executed in the current directory, regardless of file name or extension.

Additionally, the known infection length is 528 bytes, lists Symantec writeup.

The name of this new virus is OSX.Macarena.

Update: The following blog entry of Ryan Russell has a coverage list of recent Mac malware.


Apple Airport 802.11 Exploit Published and the Value of HD Moore

from hd moore at metasploit, the apple airport 802.11 exploit, which has just appeared on the month of kernel bugs site:

apple airport 802.11 probe response kernel memory corruption


Boys and girls, the AirPort update is out

It happened recently today. From the Apple Product Security mailing list:

APPLE-SA-2006-09-21 AirPort Update 2006-001 and
Security Update 2006-005

The security fixes described below are available in AirPort Update
2006-001 and Security Update 2006-005. AirPort Update 2006-001
contains an additional non-security fix to address a reliability
issue that occurs on a limited number of MacBook Pro systems.

AirPort version 4.2:

About the security content of AirPort Update 2006-001 and Security Update 2006-005:


NASA sites running OS X defaced

Zone-H lists the following NASA Web sites defaced today:


See mirror at


See mirror and details at archive lists these as mass defacements of Byond Hackers Team.

WHOIS results for are the following:

OrgName: National Aeronautics and Space Administration
Address: IS05/Office of the Chief Information Officer
City: MSFC
StateProv: AL
PostalCode: 35812
Country: US

NetRange: –

They have a separate “Cyberwar: the beginning” posting too:


Time to apply OS X patch 2006-003 [UPDATED]

The third ’06 security update for Mac OS X has been released.

This update fixes 25 separate vulnerabilities, including several issues related to zipped files and image files reported by Tom Ferris too.

The original security advisory from Apple is located at
Exploitation of many issues may lead to arbitrary code execution.

Some statistics:

Security Update 2006-001 – 15 issues
Security Update 2006-002 – 3 issues
Security Update 2006-003 – 25 issues

From the SANS Top 20 Spring Update:

2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on Apple OS/X

It’s time to visit Apple Downloads site or use your Software Update feature.

UPDATE: I missed to include link to McAfee’s new white paper The New Apple of Malware’s Eye: Is Mac OS X the Next Windows? [PDF document, 6 p.]
UPDATE #2: According to Ferris’s new posting ‘All f the Safari flaws within the Apple OS X Safari 2.0.3 Multiple Vulnerabilities advisory are still unpatched. Additionally, ‘The core issue “ReadBMP ()” .bmp Heap Overflow has not been fixed’.


Fixing silently is Apple’s business too

Fixing security vulnerabilities silently is possible at Apple Computer too, says security researcher Tom Ferris when releasing information about several unpatched OS X flaws at his Web site.

This issue was silently fixed by Apple in update 10.4.6.

says Mr. Ferris while disclosing details about Apple OS X 10.4.5 .tiff “LZWDecodeVector ()” Heap Overflow issue at ‘sp-x2′ advisory.

Marc Bevand started thread Microsoft silently fixes security vulnerabilities at Dailydave recently.


Mini Mac running Os X got pwned in 30 minutes.

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer’s security and gain root control… – writes ZDNet

“This sucks. Six hours later this poor little Mac was owned and this page got defaced. Good thing is it didn’t get rm’d!”


OSX/Inqtana False Positive

It’s old news that Sophos briefly took their corporate eye off the ball and released an IDE (virus identity file) that incorrectly detected Inqtana.B in some application files on OS X Macs. While the incident seriously inconvenienced some users and sites by necessitating reinstallation of some misdiagnosed programs, the vendor did replace the offending file very quickly, apologised, and put in place measures to avoid a recurrence.

Worryingly, however, some have seen this incident as an argument for jettisoning commercial anti-virus in favour of an open source solution. Is there a place for volunteer AV in the workplace, though? As a supplement, sure, as long as the organization and the end-user realise the limitations of the genre. I don’t doubt the motives of the public-spirited purveyors of AV freeware. The AV commercial vendors are not whiter than white, and of course they have a commercial agenda, but they have to meet standards of functionality and support in order to stay in the market place. Perhaps now, when malware authors seem to have rediscovered the Mac platform, is not the best time to put all your worm-free Apples in one basket, or entrust the corporate crown jewels to software that doesn’t detect all known malware on that platform, offers no guarantees of freedom from future FPs, and doesn’t offer professional levels of service and technical support?


Reports say OS X 10.4.5 cracked for non-Apple Intel PCs

According to new RealTechNews article

“… today a hacker named Maxxuss released a patch which updates MacOS to 10.4.5 and enables it to run on non-Apple Intel-based PCs.”

This hasn’t been covered in the news at all, in fact.

The article links to Maxxuss Release Announcements page, which has ‘Last Updated: 23-Feb-2006‘ information, in fact.

The weblog of Maxxuss, announcing ‘non-official information on Mac OS X for the x86 platform’, is located at

This was only a week after news about a poetry Don’t-Steal-Mac-OS-X embedded into OS X.


2 More OS X Inqtana Variants Found

What the hell is this, let’s target OS X week? This is directly from the guys over at F-Secure labs, they’ve just found 2 more variants of the OS X worm Inqtana.A, the variants are names Inqtana.B and Inqtana.C. The only difference is the way that the worm will start on the infected machine once the user has accepted the OBEX transfer.

More details on this can be found on the F-Secure blog
Guess this means that OS X is finally being taken seriously out there, and about time too.
What’s everyone’s thoughts on all the OS X action we’ve been seeing lately?