Apple's First 2005 Mac OS X Security Update Is Out

ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail. Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!). Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."

oh, and don't forget the local root exploit

[OmniVector]

see for yourself: http://otierney.net/files/root-osx.c. Basically exploits an suid bug in an iSync app. you can fix this local exploit by running:

chmod a-x /System/Library/SyncServices/SymbianConduit.bundle /Contents/Resources/mRouter

from the console

Re:oh, and don't forget the local root exploit

[nemo_felinemenace]

Hi, Just wondering if there's a reason you're posting my code on slashdot with the comments stripped? (code seen here: http://www.k-otik.com/exploits/20050123.fm-iSink.c .php) Regards nemo@felinemenace.org

Re:Repair permissions after install

[AddressException]

Isn't that Command-Shift-U for Utilities?