Modernizing Authentication — What It Takes to Transform Secure Access
Date: 12/14/2017 @ 1 p.m. ET
Computer maker Apple
has released a security update to fix more than a dozen flaws in the Jaguar
and Panther versions of its flagship Mac operating system.
According to an advisory from Apple, the most serious flaw could permit remote attackers to execute arbitrary code and potentially take over a user's system.
The mega patch fixes holes in several components of the Max OS X, including CoreFoundation, IPSec and the Kerberos 5 authentication system, which was recently patched by MIT.
Apple also included fixes for its Safari browser along with patches for components like libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync and tcpdump.
Apple said the CoreFoundation fix adds validity check to environment variables that could be manipulated to cause a buffer overflow.
"By manipulating local environment variables, a program could potentially be leveraged by a local attacker to execute arbitrary code," the company warned.
The company said that Mac users were not at risk of the more serious Kerberos flaw.
"The buffer overflow can only be exploited if 'auth_to_local_names' or 'auth_to_local' support is also configured in the edu.mit.Kerberos file. Apple does not enable this by default."
In the Safari browser, Apple patched a hole that could allow an untrusted Web site to inject content into a frame intended to be used by another domain.
"A web site that uses multiple frames can have some of its frames replaced with content from a malicious site if the malicious site is visited first. The fix imposes a set of parent/child rules preventing the attack," the company said.