Huge Security Update Fixes Thirty OS X Flaws

Severity: High

13 March, 2007

Summary:

Today, Apple released a security update fixing thirty security issues in software packages that ship as part of OS X, including Disk Images, Networking, and ImageIO. An attacker exploiting the worst of these security issues could execute code on your Mac, possibly gaining full control of your computer. If you manage OS X 10.3.9 or 10.4.8 machines, you should download, test, and install the appropriate Apple security update as soon as possible.

Exposure:

Apple’s latest security update corrects vulnerabilities affecting software packages that ship with OS X 10.3.9 and 10.4.8. Many of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. You should apply it as soon as you can. Some of the fixed vulnerabilities include:

• Three code execution vulnerabilities in Disk Images. OS X ships with Disk Images components used to handle disk image (.DMG) files. Disk image files are special, compressed files that vendors often use to package software applications for you to download. For instance, if you’ve downloaded the latest version of Skype for OS X, you received a .DMG file. According to Apple, Disk Images suffers from three vulnerabilities involving the way it handles intentionally malformed .DMG files. By enticing one of your users into downloading and mounting a malicious disk image, an attacker could exploit any of these three flaws to execute code on that user’s computer, with that user’s privileges. Kevin Finisterre and his research partners originally disclosed some of these Disk Images vulnerabilities early in January, during their Month of Apple Bugs (MoAB). They also released public Proof-of-Concept (PoC) code that could allow an attacker to easily exploit some of these issues. With exploit code available in the wild, we recommend you patch immediately.

• Buffer overflow in Color Sync. ColorSync is OS X’s color management component. ColorSync suffers from a stack buffer overflow flaw involving the way it handles images with embedded ColorSync Profiles. By tricking one of your users into downloading and opening a specially crafted image, an attacker could exploit this flaw to execute code on that user’s computer with that user’s privileges. The attacker could then exploit other local vulnerabilities described in Apple’s alert to gain complete control of that user’s Mac.

• Two code execution vulnerabilities in ImageIO. ImageIO is a software component that OS X uses to display image files. Apple’s alert warns that ImageIO suffers from two vulnerabilities related to its handling of maliciously crafted GIF (.gif) and RAW images. If an attacker can trick you into viewing a booby-trapped GIF or RAW image (perhaps from a Web page), he can exploit this flaw to execute attack code on your computer, potentially gaining control of it.

Apple’s alert includes 24 more flaws, including many more code execution flaws, like the ones described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, a few elevation of privilege flaws, and even a Cross-Site Scripting (XSS) flaw, plus others. The other components that this security update patches include:

• CoreGraphics
• CrashReporter
• CUPS
• DS Plug-ins
• Flash Player
• GNU TAR
• HFS
• HID Family
• Kernel
• MySQL Server
• Networking
• OpenSSH
• Printing
• QuickDraw Manager
• servermgrd
• SMB File Server
• Software Update
• sudo
• Weblog

Refer to Apple’s alert for more details.

Many of the flaws this update fixes originated from the Month of Apple Bugs (MoAB) and the Month of Kernel Bugs (MoKB). The MOAB and MOKB teams released many PoC exploits for the flaws described in Apple’s alert. A motivated attacker could easily modify these PoC exploits and combine them in an attack that could yield the attacker full control of your OS X machines. Patch your OS X machines as soon as you can.

In a separate bulletin, Apple also fixed a security flaw in iPhoto 6.0.6. The flaw allowed an attacker to exploit a weakness in the “photocast” feature of iPhoto. If a user opens a maliciously crafted photocast, the attacker might be able to execute attack code. For more details, see Apple’s iPhoto bulletin. If you use iPhoto on your network, install the patch.

Solution Path:

Apple has released updates to fix these vulnerabilities for both OS X 10.3.9 and 10.4.8. Apple OS X administrators should download, test, and deploy the appropriate updates as soon as possible.

• Security Update 2007-003 (10.3.9 Client)
• Security Update 2007-003 (10.3.9 Server)
• Mac OS X Server 10.4.9 Update (PPC)
• Mac OS X 10.4.9 Combo Update (PPC)
• Mac OS X 10.4.9 Combo Update (Intel)
• Mac OS X 10.4.9 Update (Intel)
• Mac OS X 10.4.9 Update (PPC)
• Mac OS X Server 10.4.9 Update (Universal)
• Mac OS X Server 10.4.9 Combo Update (Universal)
• Mac OS X Server 10.4.9 Combo Update (PPC)

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X’s Software Update utility automatically pick the correct update for you.

For All Users:

These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). The most secure course of action is to install the updates.

Status:

Apple released updates to fix these issues.

Introducing the Quickbooks Small Buisness Community

 

	New to QuickBooks 2007 and not sure where to start? Or, are you seeking answers to tax questions? Get help and advice from our expert! Join us for a “QuickBooks Community Ask the Expert featuring MB Raimondi.” Talk to one person you can trust to help you with your QuickBooks and tax questions. Tap into MB’s real world experience working with QuickBooks users like you. When: Mar 12 – 16, 2007 Where: QuickBooks Community Ask The Expert

 

	About the Expert
	MB Raimondi is a CPA with a Masters in Taxation and has been in practice over 20 years. She has used QuickBooks since the DOS version and setS up all her small businesses using QuickBooks. If they don’t have a computer in their office, she sets them up in her office because she uses QuickBooks to interface with her tax program, Pro Series. She is an active user of QuickBooks Remote Access. MB is an Advanced QuickBooks Certified Pro Advisor as well as being an Intuit Certified Trainer. She has taught the Accountants’ Update Seminar for Intuit since its inception 4 years ago. She is also a member of the Intuit Speakers Bureau. Ms. Raimondi has taught for Real World Training since 1999, teaching the comprehensive two day QuickBooks seminar as well as doing special on-site seminars for them. In between teaching and clients, she does QuickBooks consulting. When asked about QuickBooks, MB said: “I love QuickBooks. I love teaching. What is there not to like about my job! I get to do what I enjoy!” Introducing Small Business Center Have a question about starting, running or growing your small business? Connect with other small businesses and find resources including the Small Business Question & Answer desk, small business articles, and a variety of forums for small businesses. To help you, we have partnered with Entrepreneur®, NOLO® and Duct Tape Marketing® – companies that have led the way helping small businesses like yours. Join other small businesses and ask questions, share your ideas and build your small business community. Go to: http://www.quickbooksgroup.com/sbcenter/ © 2007 Intuit Inc. All rights reserved. QuickBooks and Intuit are registered trademarks of Intuit Inc. All other trademarks are the property of their respective owners and should be treated as such. IMPORTANT: Intuit respects the personal nature of e-mail communication. Every effort is made to offer only information that may be of value to you or your business. If you do not wish to receive marketing e-mail from Intuit in the future, please click here. If you would like to change your e-mail address in our database, please click here. This message was sent to: gbardissi@bardissi.net For our Privacy Statement, click here. Intuit Inc. Customer Communications 2800 E. Commerce Center Place Tucson, AZ 85706

Vista Software Version Comparison

No Microsoft Security Updates Coming Next Week

In one of only a handful of times since 2003, Microsoft won’t have security patches available next week.

Elizabeth Montalbano, IDG News Service

Thursday, March 08, 2007 12:00 PM GMT-08:00

Microsoft Corp. is not planning to release any security updates on Tuesday, one of only a handful of times the company won’t have security patches available since its monthly security updates began in 2003, Microsoft said Thursday.

Microsoft is currently working on patches for known vulnerabilities in Internet Explorer 7, Office 2007’s Publisher 2007 and Windows Vista OS, but they are not ready for release at the moment, said a spokesman from Microsoft’s public relations firm Thursday.

The last time Microsoft had no security updates on “Patch Tuesday” was September 2005, he said. Patch Tuesday is the name researchers use for Microsoft’s monthly updates, which come on the second Tuesday of the month.

Though there will be no security updates, Microsoft will release two nonsecurity high-priority updates for Windows Update and Software Update Services, and four nonsecurity, high-priority updates on Microsoft Update and Windows Server Update Services.

Microsoft also will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. The tool will not be distributed using Software Update Services.

More information can be found on the Web site for Microsoft security updates. Because there are no security updates for March, the company will not hold its usual news conference next Wednesday.

Daylight Saving Time Help and Support Center

Beginning in 2007, daylight saving time (DST) will be extended in the United States. DST will start on March 11, 2007, which is three weeks earlier than usual, and it will end on November 4, 2007, which is one week later than usual. This results in a new DST period that is four weeks longer than in previous years. Unless certain updates are applied to your computer, the time zone settings for your computer’s system clock may be incorrect during this four-week period. In particular, you must make sure that both your Windows operating system and your calendar programs are updated.

Do I have to update my computer?

Home users: If you use Windows Vista or have Automatic Updates turned on, you may not be affected by the change in daylight saving time. If you want to confirm, follow the steps in the Daylight Saving Time Update Guide below.

IT professionals and IT managers: The Daylight Saving Time Update Guide below will quickly lead you to KB articles and downloads for the products you specify in the guide.

Daylight Saving Time Update Guide

Note You must have active scripting enabled to use this guide.

Go to microsoft’s site below to run a wizard to see what you need to do to fix this issue.

http://support.microsoft.com/gp/cp_dst

WatchGuard Releases Firebox X Edge e-Series 8.5.1

WatchGuard is pleased to announce the availability of WatchGuard Firebox X Edge e-Series software, version 8.5.1. This release includes many important bugfixes. Of particular importance, this release includes changes to support the revised Daylight Saving Time (DST), which goes into effect this year as a result of the Energy Policy Act of 2005. This directly affects customers in countries which adopted the DST revision (US, Canada, Bermuda) and may affect customers doing business with those countries as well. If you reside in a country which adopted the DST revision ,we encourage you to install this hotfix before Daylight Saving Time starts on March 11, in order to ensure the accuracy of time-dependent features.

For our Japanese customers, Firebox X Edge e-Series 8.5.1 also offers a Japanese version of the Web User Interface, Help Files, and User Documentation.

Other Important Fixes Included in this Release:

• Performance improvements on TCP-based connections
• LDAP authentications across VPN tunnels now work properly
• Connections no longer time out during lengthy PPPoE server authentications
• PPTP connections from clients using NAT no longer fail

There are many other bugfixes included in this release. Please refer to the release notes for more detail.

Does this release pertain to me?

The Firebox X Edge e-Series 8.5.1 software will only work with Firebox X Edge e-Series models. It will not operate (and cannot be installed) on other Firebox X Edge (wired or wireless), SOHO 6 (wired or wireless), S6 (wired or wireless), or SOHO models.

Note: If you centrally manage your Firebox X Edge e-Series appliances with WatchGuard System Manager (WSM), you should not upgrade to 8.5.1. You should continue to run Firebox X Edge e-Series version 8.0.3 and continue to use WSM version 8.3.1 until WSM 9.0 is released.

How do I get this release?

Firebox X Edge e-Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading it from the Software Downloads Web page. Be sure to read the accompanying release notes for the complete list of fixes, as well as installation instructions, limitations, and known issues. If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity key, or Partner ID available.)

• U.S. Customers: 877.232.3531
• International Customers: +1.206.613.0456

Authorized WatchGuard Resellers: 206.521.8375

IBM/Lenovo Battery Recall

March 1, 2007 battery recall

Q1. Which ThinkPad notebook PC models are affected by this recall?
A. The recall affects the models listed below. Customers who bought these systems or an optional or replacement battery for these systems between November 2005 and February 2007 may have a battery subject to this recall.

• R60 and R60e Series
• T60 and T60p Series
• Z60m, Z61e, Z61m, and Z61p Series

These models may have shipped with either 6-cell or 9-cell batteries; only the 9-cell batteries with the part number FRU P/N 92P1131 are being recalled.

Q2. How can I find out if my battery is being recalled?
A. Go to www.lenovo.com/batteryprogram to determine if your battery is affected by the recall. If you prefer to call a Service Center, a worldwide phone list is also available at http://www.lenovo.com/thinkpad/wwphonelist.

Q3. What led you to do a recall?
A. There have been five incidents that came to our attention. Our number one priority is public safety and we concluded that a recall was appropriate in this case.

Q4. If my battery is recalled, how much will the replacement cost?
A. Lenovo is replacing the recalled batteries free of charge. If you return your recalled battery, the replacement battery will come with a one-year limited warranty from Lenovo.

Q5. Am I required to return my defective battery?
A. You are required to return it or recycle it as described in the instructions included with the replacement battery. The package with your replacement battery will include a prepaid shipping container for customers who choose to return their batteries. The package will also include instructions for customers who choose to take their batteries to a local authorized recycling drop-off point.

Q6. If my battery is recalled, how long will I have to wait for it?
A. Early in the process when demand is heaviest, it could take up to 4 weeks to receive a new battery.

Q7. Is it safe to continue using a system with a recalled battery until the replacement battery arrives?
A. If your battery has been recalled and you intend to transport your ThinkPad or use it in a manner that may subject it to external impact, you should turn off the PC, remove the battery, and only power your ThinkPad via an AC adapter.

Directions for removing the battery are available at www.lenovo.com/batteryprogram.

Q8. Is it safe to use a third-party battery in my system?
A. The safety of so-called “gray market” batteries is unknown, and we’ve had incidents involving these types of batteries. We encourage customers to use only batteries from either Lenovo, or authorized resellers, in our products.

Q9. Is this recall related to the Sony battery recall?
A. No. The two recalls are unrelated.

Q10. I replaced a defective Sony battery in my notebook PC. Are any of the batteries shipped as Sony replacements being recalled?
A. No, none of the batteries we shipped as replacements in the Sony recall are affected by this recall.

Sage & Microsoft Net 3.0 and XPS Document Imaging Essentials Pack issue

Here at Sage Software Customer Support, we provide you with up-to-date technical information. Because you subscribe to a Sage support plan, we are sending you the following support article: Microsoft Net 3.0 and XPS Document Imaging Essentials Pack issue Two recent Microsoft updates have been found to affect printing options in Sage BusinessWorks (Microsoft .Net 3.0 and the XPS Document Imaging Essentials Pack).  Microsoft has made changes to the printer subsystem in Windows, causing issues when printing forms and reports within Sage BusinessWorks. The following two errors are symptoms of this problem: “Access violation @ address 40003461 in module rtl60.bpl, write of address XXXXXXXX when previewing reports in Sage BusinessWorks.” “This printer driver requires more space than is allocated. (Needed XXXX;Alloc: 8096) when printing or previewing reports in Sage BusinessWorks.” It is our recommendation that you wait to install Microsoft .Net 3.0 or the XPS Document Imaging Essentials Pack until Sage BusinessWorks completes its testing and has an update available to address these changes. If you have downloaded these updates and you receive these error messages we have found success in trying alternate print drivers. If after testing alternate drivers you continue to receive error messages please contact customer support at 800-447-5700 or email: support.bw@sage.com Thank you for your commitment to Sage Software. We welcome opportunity to serve you further.

New computer virus threatens biz nets

Technology security firm warns the latest strains of the RINBOT or DELBOT virus are starting to multiply rapidly.

By Parija B. Kavilanz, CNNMoney.com staff writer

March 1 2007: 12:25 PM EST

NEW YORK (CNNMoney.com) — A disgruntled hacker with a personal grudge against Symantec, which provides anti-virus software to leading Fortune 500 companies, could be behind a new, crippling computer virus that’s already hit a division of at least one big U.S. corporation on Thursday.

If it spreads, technology experts warn the latest strains of the insidious RINBOT computer virus could hijack network systems of businesses worldwide.

New strains

Graham Cluley, senior technology consultant with Boston-based IT security firm Sophos, said his company has been aware of “a number” of new versions of the RINBOT or DELBOT virus produced since Feb. 15.

“We believe this latest strain is the 7th version of RINBOT which first emerged in March 2005,” Cluley said.

According to Cluley, this version is designed to exploit security vulnerabilities embedded in anti-virus software.

“Traditionally hackers always went after Microsoft’s anti-virus programs. But now they’re increasingly targeting other commonly used programs such as Symantec programs and others,” he said.

Cluley said this strain appears to be hitting MS SQL servers. It looks for networks that run the Microsoft (Charts) Windows operating system, including Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. It then spreads through the network by manipulating “weak” spots such as simple passwords.

Getting hijacked

Once it’s in, Cluley said the virus quickly spreads and takes over many computers with the intention of turning the network into a botnet, or a “zombie” network.

“Without you knowing it, hackers will use your computer for a variety of purposes like sending out spam, or distributing denial of service attacks, or even blackmailing other Web sites. There was a case where hackers blackmailed a gambling site and said they would bring down the site for a few days unless they were paid thousands of dollars” Cluley said.

Cluley warned that the virus is not geographically limited. “It’s very stealthy and insidious and works without you knowing it,” he said.

Turner Broadcasting System, a division of Time Warner (Charts) and parent of CNN and CNNMoney.com, confirmed that its systems were hit by a virus Thursday.

“A virus has affected the network and we are actively working to rectify the situation,” said company spokeswoman Shirley Powell.

Thomas Parsons, an IT specialist with Symantec (Charts), confirmed to CNNMoney.com that the most recent variants of RINBOT have targeted Symantec’s anti-virus programs.

“We’re not sure what the motivation is, but we are aware of a hacker that has been adding his own commands into the strain,” Parsons said. Using those codes, Parsons said the hacker let it be known that he wasn’t happy that Symantec was calling the virus RINBOT.

WatchGuard Releases Daylight Saving Time Hotfix for WFS

WatchGuard is pleased to release an important hotfix for our customers running WatchGuard Firebox System (WFS) appliance software on Firebox X Core or Firebox III models. This hotfix updates the WFS appliance software to take into account the revised Daylight Savings Time (DST) start date, which takes effect this year as a result of the Energy Policy Act of 2005. This issue directly affects customers in countries which adopted the DST revision (US, Canada, Bermuda) and may affect customers doing business with those countries as well.

If you are in the US, Canada, or Bermuda, and run WFS appliance software (including MSS versions 7.4.1 and previous), we urge you to install this hotfix before Daylight Saving Time starts on March 11, in order to ensure the accuracy of time-dependent features such as logging, reporting, and WebBlocker scheduled policies. Without the hotfix, WFS appliances’ system clocks will be behind by one hour during a three-week period between the new DST start date of March 11 and the former DST start date of April 1.

Please note that this hotfix is required only for Firebox appliances running WFS. Appliances running Fireware or Fireware Pro 8.3.1 have corrected Daylight Savings Time start and end dates. Customers running versions of Fireware or Fireware Pro lower than 8.3.1 should upgrade to 8.3.1.

How do I get the update?

If you have a current subscription to the LiveSecurity service, you can obtain this update without additional charge by downloading it from the Software Downloads Web page. Be sure to read the accompanying release notes for the complete list of fixes and enhancements, as well as installation instructions, limitations, and known issues. If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, you must supply your registered Product Serial Number, LiveSecurity key, or Partner ID.)

• U.S. Customers: 877.232.3531
• International Customers: +1.206.613.0456

Authorized WatchGuard Resellers: +1.206.521.8375