Security Update 2006-004 for Mac Pro released

Posted Wednesday, August 9th

Apple has issued a version of Security Update 2006-004 (which was originally released on August 1st) specifically for the new Mac Pro systems.

Mac Pros ship with a new build of Mac OS X 10.4.7 -- Build 8K1079. All of the Security fixes that were in the initial version of Security Update 2006-004 are included in Mac OS X 10.4.7 Build 8K1079 except for two, which this update provides. Apple says these two fixes "were not fully tested in time for the manufacturing of the Mac Pro, and are being provided via this security update."

The following security fixes are provided only for systems running Mac OS X v10.4.7 Build 8K1079 or Mac OS X Server v10.4.7 Build 8K1079 to reach the full security level provided with Security Update 2006-004 (August 1 release):

ImageIO Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462).

OpenSSH Attempting to log in to an OpenSSH server ("Remote Login") using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. This update addresses the issue by properly handling attempted logins by nonexistent users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting this issue.

The new release is available through Software Update, or as a 2.3 MB standalone download.

Resources