Full Disclosure mailing list archives
Re: Anti-MS drivel
From: yossarian <yossarian () planet nl>
Date: Thu, 22 Jan 2004 20:11:49 +0100
Dream on or read below - it has BIND, Sendmail, SSH - the works - or rather not works. 12.19.2003 News Apple released Security Update 2003-12-19 described to offer numerious security updates such as fixes for directory services, fetchmail, fs_usage,rsync, system root via usb keyboard, file server, and a few buffer overflow issues. 12.17.2003 News Apple released 10.3.2 accessable via the software update pane in Mac OS X. The update includes enhancements for FileVault and increased security for the system. 11.26.2003 News Security Advisory William Carrel's Security Advisory is SERIOUS. Mac OS X is vulnerable to Malicious DHCP responses granting root access to remote users. Full security advisory can be found here: http://www.carrel.org/dhcp-vuln.html 11.10.2003 News Security Advisory FileVault in Mac OS X 10.3 (Panther) does not securely delete the files it encrypts that can be restored with file recovery software. FileVault Security Advisory - Secure Delete after Encryption. 10.31.2003 News Security Advisory: Mac OS X 10.2.7 and prior along with a USB Keyboard contain a security vulnerability that allows a user to gain root access to the computer by holding down a two key combination during startup that only. Read about root access via USB Keyboard on Mac OS X. 10.28.2003 News Panther Security Advisory: Mac OS X Panther (10.3) contains a security vulnerability; With access to the keyboard, an unauthorized user can access the currently active screen-locked user environment. Security Advisory - Read full 10.24.2003 News Mac OS X 10.3 (A.k.a. Panther) has been released. This new version contains many new security features, fixes and all around new applications for the Mac OS X users. Amoungst the new features is the file security utility FileVault, review to come shortly. 9.17.2003 News New SSH Exploit (detailed here) affects Mac OS X granting the attacker access to the computer as root. This security issue is vulnerable in OpenSSH version prior to 3.7, and Mac OS X is currently only at OpenSSH 3.4. To protect yourself from being vulnerable to this security risk disable SSH access to your computer by accessing your Sharing Control Pane and make sure that Remote Login is disable. Or setup your firewall to restrict access to the SSH port to only allow trusted connections. We will update this issue when Apple releases a security update. 7.07.2003 News A security vulnerability in Mac OS X's password protected screensaver has been discovered allowing a user with physical access to bypass the screensaver's authentication scheme without supplying a valid password. 5.13.2003 News Keep your Apple AirPort Administrator Password Safe. An advisory has been released detailing an issue how an anonymous attacker can sniff and obtain the Administrator's password when the administrator logs into the AirPort Base Station to manage while connecting to it via a network or non-WEP enabled wireless connection based on the units method of password authentication. Secure connectivity can be obtained by connecting a computer directly to the computer via a cross-over cable. Full details about the authentication credentials involved with the AirPort can be read in the @Stake advisory - CAN-2003-0270 4.10.2003 News Security Update!Mac OS X 10.2.5 has been made available for update! This version fixes a security issue in Apache 2.0 (CAN-2003-0132), File Sharing/Service (CAN-2003-0198), DirectoryService (@STAKE), OpenSSL (CAN-2003-0131), Samba (CAN-2003-0201), and sendmail (CAN-2003-0161). Details as follows: Directory Services - Mac OS X and Mac OS X Server contains a security hole in DirectoryServices which allows for escalation of privledges and denial of service attack which is fixed with the 10.2.5 update. DirectoryServices is part of the operating systems information services subsystem, and is launched at being setuid as root by default. Credit for this find goes to Dave G. as noted by Apple's security advisory. OpenSSL - The new version fixes OpenSSL so it is not suspectable to the known Klima-Pokorny-Rosa attack. sendmail - contained a issue where it did not adequately check the length of email addresses in the address parsing code. Apache 2.0 - Fixed a known denial of service vulnerability in Apache 2.0 - 2.0.44, the apache 2.0 service is only present in the Mac OS X server. 3.24.2003 News Apple has released Security Update 2002-03-24 which is downloadable via Software Update in Mac OS X. This update addresses a few security issues which are vulnerable including Samba's vulnerability of allowing the possibility for an unauthorized remote user to access the system. OpenSSL security fixes are also included in this update, a issue lays within OpenSSL where the RSA private key could be compromised when communicating over certain protocols. 3.04.2003 News A security vulnerability in SENDMAIL included in Mac OS X has been fixed and addressed in Apple's Software Update. Please update your Mac OS X immediately. ISS warning discusses the issue. 3.03.2003 News MacScan Public Beta 3 has been released. MacScan runs on both Mac OS Classic and Mac OS X to detect, isolate, and remove spyware. This new version includes bug fixes, new spyware detection and also full administrative scan for Mac OS X. 2.14.2003 News Apple has released Mac OS X 10.2.4 which addresses a security issue discovered by @Stake known as the TruBlueEnvironment Privilege Escalation Attack. Clicking the link will take you to a page with information on the subject and the advisory. The security issue exists in Mac OS X system prior to 10.2.4 and allows for local users to gain root privledges. 1.31.2003 News Mac OS X Screen Effects' password protection contains a security flaw which allows for a user with physical access to the keyboard to be able to quit or launch programs while being prompted to enter the password. When full Keyboard access is turned on (toggled on/off by pressing shift+f1) the doc can be accessed 'blindly' although you can not see it, the doc is still functioning. 1.25.2003 News LittleSecrets allows Macintosh (X) users to store their 'little secrets' in a encrypted format using 448 bit cipher block chaining blowfish algorithm. The application may also optionally interface with your Keychain. Read the Review, See Screenshots and Download Now. 12.20.2002 News Apple has released Mac OS X 10.2.3 which adds security fixes to the operating system as well as more support and bug fixes. Below outlines the security updates details. fetchmail updated to version 6.1.2+IMAP-GSS+SSL+INET6 CAN-2002-1383: Multiple Integer Overflows CAN-2002-1366: /etc/cups/certs/ Race Condition CAN-2002-1367: Adding Printers with UDP Packets CAN-2002-1368: Negative Length Memcpy() Calls CAN-2002-1384: Integer Overflows in pdftops Filter and Xpdf CAN-2002-1369: Unsafe Strncat Function Call in jobs.c CAN-2002-1370: Root Certificate Design Flaw CAN-2002-1371: Zero Width Images in filters/image-gif.c CAN-2002-1372: File Descriptor Resource Leaks 11.21.2002 News Mac OS X 10.2.2 is available for download, go to the Software Update Panel and proceed to update. The fix includes a few security related issues as well as many bugs in the system. The security update addresses, 11-21-2002 fixes a security issue related to BIND (Domain Server and Client Library Software) where a unauthorized person disrupt the normal operation. 11.13.2002 News FWB Privacy Toolkit Volume 1 was released today giving Mac OS 9 and Mac OS X users the ability to encrypt files on their hard disk, folders, and also securely delete files by overwriting the data making it so the data is less likely to be recovered. Visit their site today and see the demonstration, screenshots and technical details or download the Free Trial version. SecureMac.com News I'd like to welcome everyone back to SecureMac.com, we've added a new face to the site and are cleaning up many of the articles. Major updates will be seen throughout the site because of you - the readers - feedback and suggestions. Please let us know how you enjoy the new layout and if you find any bugs or issues viewing it on your web browsers. SecureMac.com has many new features and great news to roll out including a Macintosh security software title for Mac OS 9(+earlier) and Mac OS X alike can enjoy. 10.11.2002 News PGP 8.0 Beta for Mac OS X has been released. This is something Mac OS X users have been waiting for. PGP is encryption software which is supported for cross-platform use. Note that this is a beta of the software and to be cautious. 9.23.2002 News Mac OS X 10.2 Security Update - "Terminal This update fixes a security hole introduced in Terminal version 1.3 (v81) that shipped with Mac OS X 10.2 (Jaguar) which could allow an attacker to remotely execute arbitrary commands on the user's system. Terminal is updated to version 1.3.1 (v82) with this Security Update." Updates can be downloaded from the Software Update Pane, Apple's Security update page can be found here 8.19.2002 News PGP Corporation announces Mac OS X PGP to be released Q4 of 2002. They purchased the software from Network Associates. Good things ahead for the company and PGP product.. 8.16.2002 News The Secure Trusted Operating System Consortium ( STOS ) is pleased to announce the 1st annual Mac OS X & BSD Security Symposium. The symposium is designed for system and lab administrators, programmers, developers, strategists, and other technical staff involved in the deployment and securing of systems. Past STOS events have been the central networking events for the Mac OS X/Darwin security community. The Mac OS X & BSD Security Symposium follows the previous STOS events by providing an environment that promotes the sharing of ideas and techniques with a shared goal of maximizing the security of the involved systems. The addition of Robert Watson's TrustedBSD tutorial and several new papers on various aspects of BSD based operating, brings even more value to this event. Click the link for information, content, and registration information. There is no other event with the same depth of Mac OS X and BSD security subject matter as the Mac OS X and BSD Security Symposium. 8.8.2002 News Security Update 2002-08-02 is out and includes the following updated programs offering increased security protecting from recent attacks and holes discovered that effected the components; OpenSSH, OpenSSL, SunRPC, mod_ssl. Download via Apple's OS X Software Update Panel or download from Apple's Web Site 7.16.2002 News Fixed! A security issue dubbed as Mac OS X SoftwareUpdate Security Issue describes how a user could have the SoftwareUpdate Pane install files from an untrusted server by poisoning the DNS in tricking the computer to believe that another IP is Apple's host and install malicious software has been fixed by apple, performing a software update will resolve the issues or visit the depot site. 6.28.2002 News Mac OS X users should now perform a system update to install the latest security fixes resolving the issues described below which allowed remote users to attack the system. 6.26.2002 News Security Alert //fixed! Mac OS X systems with 'allow remote login' enabled in the sharing pane of the system preferences should be disabled until a new release of OpenSSH has been made available from Apple in the security updates.View advisory now a new version of the software is out but not available through the Apple Software Updates. This has been fixed - Update Software in Pane 6.19.2002 News Security Advisory Cisco VPN Client for Linux, Solaris and Mac OS X contains a security vulnerability, when the exploit is executed the vpnclient grants administrative rights to the local user. More information and fix, update and advisory for the mac os x cisco client. 6.13.2002 News Version 1.2 of SubRosa Utilities has been released and can be downloaded directly here This is the cross compatible encryption/decryption utility workable on Mac OS, Mac OS X and Windows OS. When you delete files use their secure deletion utility 5.30.2002 News SubRosa Utilities is the newest cross platform security encryption package for Mac OS, Mac OS X and Windows 98. SubRosa Utilities is a suite of security programs to ensuring your data stays secure. The package comes with a file encryption and decryption application, and a File Shredding program to ensure when you say your files are deleted they are securely deleted making it hard to impossible for recovery. Check out SubRosa Utilities today, and download right away. 5.13.2002 News Microsoft Office 98 running on Mac OS 8.1+ is vulnerable to a exploit that allows malicious code to be run. Microsoft has released a patch that fixes all the Office 98 applications (Excel 98, Office 98, PowerPoint 98, and Word 98) more information can be found on their bulletin Off98URLSecurity. 5.6.2002 News Apple has announced today that they will be dropping Mac OS 9 development saying it isnt dead for the customers just for development. Steve Jobs said it was time to drop Mac OS 9 at the WWDC today. What does this mean for developers, Mac OS 9 is still more of a secure OS than Mac OS X is. The session advised developers to develop for Mac OS X rather than OS 9. Government agencies still wont use Mac OS X in their environment because of the issues still within it. Mac OS 9 - We hope developers still do their development on it to create a even more secure environment and Apple works on updating and making Mac OS X secure as its previous systems. WWDC up to the minute coverage 4.18.2002 News On Guard 3.4 offers security improvements to the desktop security software. Apple's Navigation Services and restricting the users ability to store files in protected folders have been added in this version. For update information, download links and a review of On Guard Read more 4.17.2002 News Mac OS X Update 10.1.4 is now available and includes the following security enhancement for your system: * BSD-based TCP/IP connections now check and block broadcast or multicast IP destination addresses The Software Update pane in System Preferences will update the system software with these security fixes and additional updates 4.16.2002 News Alert! Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute code. Anyone running Internet Explorer and Office for the Macintosh should read the information here. Intego has released an update to their content filtering software - ContentBarrier which can be downloaded from the Intego Software Update page. 4.11.2002 News Firewalk X 2 is a GUI based firewall for Mac OS X. The new version includes setting of rules with expiration, and network restriction based on application. Download Firewalk X 2 LockOut 4.1 for OS 8, 9 and LockOut 3.3 for OS X is a desktop protection application by password. New in 4+ version is the Administration controls - Take a peak @ LockOut 4.05.2002 News Mac OS X Security update is available for download. To do so open up the Software update in the System Panel and perform the security update or download for Apples web site. This update fixes/upgrades/installs the following: Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address a buffer overflow vulnerability which could potentially be used to run arbitrary code in conjuction Apache is updated to version 1.3.23. groff updated version 1.17.2 to address the vulnerability CVE ID: CAN-2002-0003, where an attacker could gain rights as the 'lp' user remotely. mail_cmds is updated to fix a vulnerability where users could be added to the mail group OpenSSH - updated to version 3.1p1 to address the vulnerability reported in FreeBSD Security Advisory FreeBSD-SA-02:13, where an attacker could influence the contents of the memory. PHP - updated to version 4.1.2 to address the vulnerability reported in CERT CA-2002-05, which could allow an intruder to execute arbitrary code with the privileges of the web server. rsync - updated to version 2.5.2 addresses a vulnerability which could lead to corruption of the stack and possibly to execution of arbitrary code as the root user. FreeBSD Security Advisory FreeBSD-SA-02:10 sudo - updated to version 1.6.5p2 to address the vulnerability reported in FreeBSD Security Advisory FreeBSD-SA-02:06, where a local user may obtain superuser privileges. 4.01.2002 News Protect Your Mac from Hackers and Viruses is a article which informs Macintosh users about security and details the importances of data recovery and loss prevention. Read this article now 3.08.2002 News Mac OS X users running Apache with PHP installed be aware there is a security issue in PHP versions prior to 4.1.2. OpenOSX.com has prepared a 4.1.2 install of PHP for Mac OS X which corrects the security issue.. 2.22.2002 News TypeRecorder released version 1.5 of their keystroke saving application which runs under Mac OS 9+ adding new features to the program. 2.20.2002 News Mac OS X 10.1.3 has been released you can update with the built in "Software Update" feature. Networking and Security Improvements include: Login authentication support for LDAP and Active Directory services OpenSSH version 3.0.2p1 WebDAV support for Digest authentication Mail includes support for SSL encryption 2.18.2002 News MacAnalysis 2.0b9 for classic and 2.1.4 for OS X has been released. This update for the security auditing tools adds new functionality supporting the airport, adding new exploits to the security sweep, auto updating and content filtering. MacAnalysis is available for Mac OS and Mac OS X 2.13.2002 News Ettercap 0.6.4 just released and tested with Darwin. Ettercap will sniff, intercept, and log data on LAN networks, used by system administrators to find problematic situations. 2.07.2002 News IPNetSentry 1.3.3 for the PPC has been released fixing a few bugs in this Firewall software, not protected yet from the outside world? Give IPNetSentry a try - It's shareware, free download get more info 2.04.2002 News February 2002 virus definitions have been released. Update your anti-virus software to protect you from the latest viruses, trojans and macros. Find the links to download the newest definitions from the left hand side of the web page. MacAnalysis 2.1.3 X the security auditing suite for Mac OS X has been released, this version fixing a bug many users were running into and adds more improvements. Download MacAnalysis X or the classic version here ----- Original Message ----- From: "Scott Francis" <darkuncle () darkuncle net> To: "yossarian" <yossarian () planet nl> Cc: <full-disclosure () lists netsys com> Sent: Thursday, January 22, 2004 6:29 AM Subject: Re: [Full-disclosure] Anti-MS drivel _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Anti-MS drivel, (continued)
- Re: Anti-MS drivel Tobias Weisserth (Jan 21)
- Re: Anti-MS drivel yossarian (Jan 21)
- Re: Anti-MS drivel Tobias Weisserth (Jan 21)
- Re: Anti-MS drivel yossarian (Jan 21)
- Re: Anti-MS drivel Tobias Weisserth (Jan 21)
- Re: Anti-MS drivel yossarian (Jan 21)
- Message not available
- Re: Anti-MS drivel yossarian (Jan 21)
- Re: Anti-MS drivel Bart . Lansing (Jan 23)
- Message not available
- Re: Anti-MS drivel Nick FitzGerald (Jan 24)
- Re: Anti-MS drivel Bart . Lansing (Jan 26)
- Message not available
- Re: Anti-MS drivel yossarian (Jan 22)
- Re: Anti-MS drivel Gregh (Jan 21)
- Re: Anti-MS drivel Tobias Weisserth (Jan 22)
- Re: Anti-MS drivel Valdis . Kletnieks (Jan 20)