14 DAY TRIAL // Apple has released a security update for Mac OS X v10.6.4 and Mac OS X Server v10.6.4, which addresses an information disclosure vulnerability in AFP.
The Apple Filing Protocol (AFP) provides files services for Mac OS X. Clients can access AFP resources by browsing for them on the network or opening afp:// URLs directly.
Designated as "Security Update 2010-006," the new release fixes a bug, which according to Apple, can allow an attacker to access an AFP shared folder without providing a valid password.
"A remote attacker with knowledge of an account name on a target system may bypass the password validation and access AFP shared folders," the company explains in the associated advisory.
It's worth noting that the vulnerability, identified as CVE-2010-1820, only affects Mac OS X 10.6 systems and that AFP file sharing is not enabled by default, which significantly limits its impact.
Nevertheless, users are encouraged to apply the available patch as soon as possible by accessing "Software Update" under the Apple menu.
A critical arbitrary code execution vulnerability, also said to affect file sharing on Max OS X, was patched in Samba 3.5.5, that was released a week ago.
"This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server," the Samba developers explained.
Samba is a free re-implementation of several network protocols and provides file and print sharing services between Windows and Unix-like systems, including Mac OS X Server.
"If you are running Samba, turn it off NOW until you can upgrade. This means all Mac OS X users with file sharing, all NAS devices based on Linux, some printers, etc," HD Moore, the founder and lead developer of the Metasploit penetration testing framework, advised at the time.