Buffer overrun security leak: a follow-up

Sudo command leak not fixed in update Yesterday, we reported a potential buffer overrun security leak involving the sudo command (used in Terminal). Today, securemac.com states that this has not been fixed in the Mac OS 10.0.2 update.

Buffer overrun and ftp leak: fixed in 10.0.2? On a related note, an MDJ article points out that the security risks of Mac OS X running UNIX (as described in the BusinessWeek article noted here yesterday) is not as bad as the article suggests. For example, while Mac OS X is potentially vulnerable to the buffer overrun problem described by CERT, a hacker would need to "upload raw binary code as part of a FTP command to exploit the weakness, so that binary code must be compiled PowerPC instructions." In any case, it appears likely that the ftpd update included as part of OS 10.0.2 (see this item) fixes this leak (which is separate from the sudo leak).