omg, makes Windows look like the Fort Knox of software
http://www.zdnet.com/blog/security/apple-safari-autofill-allows-data-theft/6928
http://www.zdnet.com/blog/security/apple-safari-autofill-allows-data-theft/6928
Jobs refuses to apologize for major Apple Security flaw
- Thread starter stock777
- Start date
B-b-b-but Mac OS X has you covered without constant security alerts. L-O-friggin-L.
CVE-2010-1748
Summary: The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-1411
Summary: Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow.
Published: 06/17/2010
CVSS Severity: 6.8 (MEDIUM)
CVE-2010-1382
Summary: Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote authenticated users to inject arbitrary web script or HTML via crafted Wiki content, related to lack of a charset field.
Published: 06/17/2010
CVSS Severity: 3.5 (LOW)
CVE-2010-1381
Summary: The default configuration of SMB File Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, enables support for wide links, which allows remote authenticated users to access arbitrary files via vectors involving symbolic links. NOTE: this might overlap CVE-2010-0926.
Published: 06/17/2010
CVSS Severity: 3.5 (LOW)
CVE-2010-1380
Summary: Integer overflow in the cgtexttops CUPS filter in Printing in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to page sizes.
Published: 06/17/2010
CVSS Severity: 7.5 (HIGH)
CVE-2010-1379
Summary: Printer Setup in Apple Mac OS X 10.6 before 10.6.4 does not properly interpret character encoding, which allows remote attackers to cause a denial of service (printing failure) by deploying a printing device that has a Unicode character in its printing-service name.
Published: 06/17/2010
CVSS Severity: 5.0 (MEDIUM)
CVE-2010-1377
Summary: Open Directory in Apple Mac OS X 10.6 before 10.6.4 creates an unencrypted connection upon certain SSL failures, which allows man-in-the-middle attackers to spoof arbitrary network account servers, and possibly execute arbitrary code, via unspecified vectors.
Published: 06/17/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1376
Summary: Multiple format string vulnerabilities in Network Authorization in Apple Mac OS X 10.6 before 10.6.4 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a (1) afp, (2) cifs, or (3) smb URL.
Published: 06/17/2010
CVSS Severity: 6.8 (MEDIUM)
CVE-2010-1375
Summary: NetAuthSysAgent in Network Authorization in Apple Mac OS X 10.5.8 does not have the expected authorization requirements, which allows local users to gain privileges via unspecified vectors.
Published: 06/17/2010
CVSS Severity: 7.2 (HIGH)
CVE-2010-1374
Summary: Directory traversal vulnerability in iChat in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, when AIM is used, allows remote attackers to create arbitrary files via directory traversal sequences in an inline image-transfer operation.
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-1373
Summary: Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted help: URL, related to "URL parameters in HTML content."
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-0546
Summary: Folder Manager in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows local users to delete arbitrary folders via a symlink attack in conjunction with an unmount operation on a crafted volume, related to the Cleanup At Startup folder.
Published: 06/17/2010
CVSS Severity: 3.3 (LOW)
CVE-2010-0545
Summary: The Finder in DesktopServices in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, does not set the expected file ownerships during an "Apply to enclosed items" action, which allows local users to bypass intended access restrictions via normal filesystem operations.
Published: 06/17/2010
CVSS Severity: 4.4 (MEDIUM)
CVE-2010-0543
Summary: ImageIO in Apple Mac OS X 10.5.8, and 10.6 before 10.6.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with MPEG2 encoding.
Published: 06/17/2010
CVSS Severity: 6.8 (MEDIUM)
CVE-2010-0541
Summary: Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page.
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-0540
Summary: Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings.
Published: 06/17/2010
CVSS Severity: 6.0 (MEDIUM)
CVE-2010-2264
Summary: The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document.
Published: 06/11/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-1774
Summary: WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, accesses out-of-bounds memory during processing of HTML tables, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document.
Published: 06/11/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1771
Summary: Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving fonts.
Published: 06/11/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1770
Summary: WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Apple Safari before 4.1 on Mac OS X 10.4, and Google Chrome before 5.0.375.70 does not properly handle a transformation of a text node that has the IBM1147 character set, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document containing a BR element, related to a "type checking issue."
Published: 06/11/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1748
Summary: The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-1411
Summary: Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow.
Published: 06/17/2010
CVSS Severity: 6.8 (MEDIUM)
CVE-2010-1382
Summary: Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote authenticated users to inject arbitrary web script or HTML via crafted Wiki content, related to lack of a charset field.
Published: 06/17/2010
CVSS Severity: 3.5 (LOW)
CVE-2010-1381
Summary: The default configuration of SMB File Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, enables support for wide links, which allows remote authenticated users to access arbitrary files via vectors involving symbolic links. NOTE: this might overlap CVE-2010-0926.
Published: 06/17/2010
CVSS Severity: 3.5 (LOW)
CVE-2010-1380
Summary: Integer overflow in the cgtexttops CUPS filter in Printing in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to page sizes.
Published: 06/17/2010
CVSS Severity: 7.5 (HIGH)
CVE-2010-1379
Summary: Printer Setup in Apple Mac OS X 10.6 before 10.6.4 does not properly interpret character encoding, which allows remote attackers to cause a denial of service (printing failure) by deploying a printing device that has a Unicode character in its printing-service name.
Published: 06/17/2010
CVSS Severity: 5.0 (MEDIUM)
CVE-2010-1377
Summary: Open Directory in Apple Mac OS X 10.6 before 10.6.4 creates an unencrypted connection upon certain SSL failures, which allows man-in-the-middle attackers to spoof arbitrary network account servers, and possibly execute arbitrary code, via unspecified vectors.
Published: 06/17/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1376
Summary: Multiple format string vulnerabilities in Network Authorization in Apple Mac OS X 10.6 before 10.6.4 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a (1) afp, (2) cifs, or (3) smb URL.
Published: 06/17/2010
CVSS Severity: 6.8 (MEDIUM)
CVE-2010-1375
Summary: NetAuthSysAgent in Network Authorization in Apple Mac OS X 10.5.8 does not have the expected authorization requirements, which allows local users to gain privileges via unspecified vectors.
Published: 06/17/2010
CVSS Severity: 7.2 (HIGH)
CVE-2010-1374
Summary: Directory traversal vulnerability in iChat in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, when AIM is used, allows remote attackers to create arbitrary files via directory traversal sequences in an inline image-transfer operation.
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-1373
Summary: Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted help: URL, related to "URL parameters in HTML content."
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-0546
Summary: Folder Manager in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows local users to delete arbitrary folders via a symlink attack in conjunction with an unmount operation on a crafted volume, related to the Cleanup At Startup folder.
Published: 06/17/2010
CVSS Severity: 3.3 (LOW)
CVE-2010-0545
Summary: The Finder in DesktopServices in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, does not set the expected file ownerships during an "Apply to enclosed items" action, which allows local users to bypass intended access restrictions via normal filesystem operations.
Published: 06/17/2010
CVSS Severity: 4.4 (MEDIUM)
CVE-2010-0543
Summary: ImageIO in Apple Mac OS X 10.5.8, and 10.6 before 10.6.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with MPEG2 encoding.
Published: 06/17/2010
CVSS Severity: 6.8 (MEDIUM)
CVE-2010-0541
Summary: Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page.
Published: 06/17/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-0540
Summary: Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings.
Published: 06/17/2010
CVSS Severity: 6.0 (MEDIUM)
CVE-2010-2264
Summary: The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document.
Published: 06/11/2010
CVSS Severity: 4.3 (MEDIUM)
CVE-2010-1774
Summary: WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, accesses out-of-bounds memory during processing of HTML tables, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document.
Published: 06/11/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1771
Summary: Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving fonts.
Published: 06/11/2010
CVSS Severity: 9.3 (HIGH)
CVE-2010-1770
Summary: WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Apple Safari before 4.1 on Mac OS X 10.4, and Google Chrome before 5.0.375.70 does not properly handle a transformation of a text node that has the IBM1147 character set, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document containing a BR element, related to a "type checking issue."
Published: 06/11/2010
CVSS Severity: 9.3 (HIGH)
Apple the new world leader in software insecurity
By Peter Bright | Last updated a day ago
Apple has displaced Oracle as the company with the most security vulnerabilities in its software, according to security company Secunia. Over the first half of 2010, Apple had more reported flaws than any other vendor. Microsoft retains its third-place spot. Secunia has tracked security vulnerabilities and issues advisories since 2002, producing periodic reports on the state of software. Together, the top ten vendors account for some 38% of all flaws reported.
Though this does not necessarily mean that Apple's software is the most insecure in practiceâthe report takes no consideration of the severity of the flawsâit points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple's flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.
To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely-used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft's other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by two-to-one.
Secunia also makes a case that effectively updating this third-party software is much harder to do; whereas Microsoft's Windows Update and Microsoft Update systems will provide protection for around 35% of reported vulnerabilities, patching the remainder requires the use of 13 or more updating systems. Some vendorsâApple, Mozilla, and Google, for exampleâdo have decent automatic update systems, but others require manual intervention by the user.
Ars Technica.
By Peter Bright | Last updated a day ago
Apple has displaced Oracle as the company with the most security vulnerabilities in its software, according to security company Secunia. Over the first half of 2010, Apple had more reported flaws than any other vendor. Microsoft retains its third-place spot. Secunia has tracked security vulnerabilities and issues advisories since 2002, producing periodic reports on the state of software. Together, the top ten vendors account for some 38% of all flaws reported.
Though this does not necessarily mean that Apple's software is the most insecure in practiceâthe report takes no consideration of the severity of the flawsâit points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple's flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.
To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely-used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft's other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by two-to-one.
Secunia also makes a case that effectively updating this third-party software is much harder to do; whereas Microsoft's Windows Update and Microsoft Update systems will provide protection for around 35% of reported vulnerabilities, patching the remainder requires the use of 13 or more updating systems. Some vendorsâApple, Mozilla, and Google, for exampleâdo have decent automatic update systems, but others require manual intervention by the user.
Ars Technica.
Also...let's think about something else here...Microsoft has been target number 1 for hackers...wouldn't one expect that as a result of this, Microsoft also now has massive amounts of experience in dealing with security flaws?
Whereas cutesy Apple which has never really been a target has never really had to deal with this before. And now they are, and now they are going to either put up or shut up.
Whereas cutesy Apple which has never really been a target has never really had to deal with this before. And now they are, and now they are going to either put up or shut up.
Is there some type of campaign going on against apple or is it the work of the invisible meme?