Apple Releases Security Update 2007-004

Apple's operating system has long had a reputation of being secure. While no OS is perfectly secure, Apple does its best to plug the holes before there is any actual harm caused, and releases frequent security updates.

Security Update 2007-004 is recommended for all users and improves the security of the following components:
￭ AFP Client
￭ AirPort
￭ CarbonCore
￭ diskdev_cmds
￭ fetchmail
￭ ftpd
￭ gnutar
￭ Help Viewer
￭ HID Family
￭ Installer
￭ Kerberos
￭ Libinfo
￭ Login Window
￭ network_cmds
￭ SMB
￭ System Configuration
￭ URLMount
￭ Video Conference
￭ WebDAV

Many of the vulnerabilities addressed in this update could have been used in order to execute denial of service attacks, unexpected application termination, or arbitrary code execution. However, there were some more important issues that could have allowed malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.

Quite a number of the vulnerabilities resulted from insufficient checks of environmental variables. Of these, the ones related to the Login Window could have allowed any local user to either obtain system privileges and execute arbitrary code or simply bypass the screen saver authentication dialog without entering a password even when a user set up the preference pane to "require a password to wake the computer from sleep."

While many of the vulnerabilities fixed in this update could have been potentially exploited to do serious harm, none of them actually were. There have been no exploits in the wild for any of these vulnerabilities and it is recommended that users either use Software Update or download directly from the Apple site and update their machines.