Avant la prochaine révision de Mac OS X en version 10.3.7, mais on a encore le temps d'attendre, Apple propose une mise à jour de sécurité qui s'appelle : Security Update 2004-12-02 numérotée 1.0.

Cette mise à jour de sécurité est disponible pour Mac OS X 10.3.6 et 10.2.8 client ainsi que pour les versions Server respectives.

Cette mise à jour est disponible via le module de mise à jour des logiciels (12,7Mo), ou directement sur le site d'Apple. 

12,7Mo laisse présager à une très grosse correction. Nous allons le découvrir de suite :



Vous pouvez télécharger directement ce patch ici :









Pour les corrections apportées, tout est dans le texte ci-après et en anglais :

Security Update 2004-12-02
Apache
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1082
Impact: Apache mod_digest_apple authentication is vulnerable to replay attacks.
Description: The Mac OS X Server specific mod_digest_apple is based on Apache's mod_digest. Multiple corrections for a replay problem in mod_digest were made in versions 1.3.31 and 1.3.32 of Apache (CAN-2003-0987). This update corrects the replay problem in mod_digest_apple authentication using the modifications made to Apache 1.3.32.

Apache
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2003-0020, CAN-2003-0987, CAN-2004-0174, CAN-2004-0488, CAN-2004-0492, CAN-2004-0885, CAN-2004-0940
Impact: Multiple vulnerabilities in Apache and mod_ssl including local privilege escalation, remote denial of service and in some modified configurations execution of arbitrary code.
Description: The Apache Group fixed a number of vulnerabilities between versions 1.3.29 and 1.3.33. The Apache Group security page for Apache 1.3 is located at http://www.apacheweek.com/features/security-13. The previously installed version of Apache was 1.3.29. The default installation of Apache does not enable mod_ssl. This update fixes all of applicable issues by updating Apache to version 1.3.33 and the companion mod_ssl to version 2.8.22.

Apache
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1083
Impact: Apache configurations did not fully block access to ".DS_Store" files or those starting with ".ht".
Description: A default Apache configuration blocks access to files starting with ".ht" in a case sensitive way. The Apple HFS+ filesystem performs file access in a case insensitive way. The Finder may also create .DS_Store files containing the names of files in locations used to serve web pages. This update modifies the Apache configuration to restricts access to all files beginning with ".ht" or ".DS_S" regardless of capitalization. More...

Apache
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1084
Impact: File data and resource fork content can be retrieved via HTTP bypassing normal Apache file handlers.
Description: The Apple HFS+ filesystem permits files to have multiple data streams. These data streams can be directly accessed using special filenames. A specially crafted HTTP request can bypass an Apache file handler and directly access file data or resource fork content. This update modifies the Apache configuration to deny requests for file data or resource fork content via their special filenames. For more information, see this document. Credit to NetSec for reporting this issue.

Apache 2
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0747, CAN-2004-0786, CAN-2004-0751, CAN-2004-0748
Impact: Modified Apache 2 configurations could permit a privilege escalation for local users and remote denial of service.
Description: A customer-modified Apache 2 configuration, where AllowOverride has been enabled, could permit a local user to execute arbitrary code as the Apache (www) user. An unmodified configuration is not vulnerable to this problem. This update also addresses bugs in Apache that could allow certain types of requests to crash the server. Apache is updated to version 2.0.52. Apache 2 ships only with Mac OS X Server, and is off by default.

Appkit
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1081
Impact: Characters entered into a secure text field can be read by other applications in the same window session
Description: In some circumstances a secure text input field will not correctly enable secure input. This can allow other applications in the same window session to see some input characters and keyboard events. Input to secure text fields is now enabled in a way to prevent the leakage of key press information.

Appkit
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0803, CAN-2004-0804, CAN-2004-0886
Impact: Integer overflows and poor range checking in tiff handling could allow to execution of arbitrary code or denial of service.
Description: Flaws in decoding tiff images could overwrite memory, cause arithmetic errors resulting in a crash, or permit the execution of arbitrary code. This update corrects the problems in the handling of tiff images.

Cyrus IMAP
Available for: Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1089
Impact: When using Kerberos authentication with Cyrus IMAP an authenticated user could gain unauthorized access to other mailboxes on the same system.
Description: When using the Kerberos authentication mechanism with the Cyrus IMAP server a user could switch mailboxes after authenticating and gain access to other mailboxes on the same system. This update binds the mailbox to the authenticated user. This server-specific issue is not present in Mac OS X Server v10.2.8. Credit to johan.gradvall@gothia.se for reporting this issue.

HIToolbox
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1085
Impact: Users can quit applications in kiosk mode
Description: A special key combination allowed users to bring up the force quit window even in kiosk mode. This update will block all force-quit key combinations not to work while in kiosk mode. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Glenn Blauvelt of University of Colorado at Boulder for reporting this issue.

Kerberos
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772
Impact: Exposure to a potential denial of service when Kerberos authentication is used
Description: MIT has released a new version of Kerberos that addresses a denial of service and three double free errors. Mac OS X contains protection against double free errors. This update applies the fix for the denial of service problem. As a precautionary measure the double free patches have also been applied. Credit to the MIT Kerberos Development Team for reporting this issue and providing fixes.

Postfix
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1088
Impact: Postfix using CRAM-MD5 may allow a remote user to send mail without properly authenticating.
Description: Postfix servers using CRAM-MD5 to authenticate senders were vulnerable to a replay attack. Under some circumstances, the credentials used to successfully authenticate a user could be re-used for a small time period. The CRAM-MD5 algorithm used to authenticate users has been updated to prevent the replay window. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Victor Duchovni of Morgan Stanley for reporting this issue.

PSNormalizer
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1086
Impact: A buffer overflow in PostScript to PDF conversion could allow execution of arbitrary code.
Description: A buffer overflow in the handling of PostScript to PDF conversion could potentially allow the execution of arbitrary code. This updates corrects the PostScript to PDF conversion code to prevent the buffer overflow. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8.

QuickTime Streaming Server
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1123
Impact: Specially crafted requests could cause a denial of service.
Description: QuickTime Streaming Server was vulnerable to a denial of service attack when handling DESCRIBE requests. This update corrects the handling of these requests. Credit to iDEFENSE for reporting this issue.

Safari
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1121
Impact: Specially crafted HTML can display a misleading URI the Safari status bar.
Description: Safari could be tricked into displaying a URI in its status bar that was not the same as the destination of a link. This update corrects Safari so that it now displays the URI that will be activated when selected.

Safari
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1122
Impact: With multiple browser windows active Safari users could be mislead about which window activated a pop-up window.
Description: When multiple Safari windows are open, a carefully timed pop-up could mislead a user into thinking it was activated by a different site. In this update Safari now places a window that activates a pop-up in front of all other browser windows. Credit to Secunia Research for reporting this issue.

Terminal
Available for: Mac OS X v10.3.6 and Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1087
Impact: Terminal may indicate that 'Secure Keyboard Entry' is active when it is not.
Description: The 'Secure Keyboard Entry' menu setting was not properly restored when launching Terminal.app. A check mark would be displayed next to 'Secure Keyboard Entry' even though it was not enabled. This update fixes the behavior of the 'Secure Keyboard Entry'. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Jonathan 'Wolf' Rentzsch of Red Shed Software for reporting this issue.