A closer look at Security Update 2008-003


Reseller News (NZ) reports that yesterday's Security Update 2008-003 patches 40 vulnerabilities in 25 components and apps, including Flash Player, iCal and Apache.

According to their write up, 16 of the 40 patches in Wednesday's update were tagged by Apple with its "arbitrary code execution" phrasing, putting them into a category other vendors would call "critical."

As noted, Flash Player was updated (v9.0.124.0), but this is a fix (actually seven issues) that IGM readers read and knew about back on April 9.

Apple's version of Apache received the most attention with eight issues patched.

macbook pro,apple macbook pro,macbook pro core 2


iCal fixed?

Apple also patched the most-serious of three issues identified and publicly revealed, including a how to, by Core Security.

"Yes, I can say that they patched the most serious of the vulnerabilities, but I cannot confirm that they have patched, or haven't patched, the other two," Ivan Arce, chief technology officer, Core Security.

Two other iCal issues, which could be used by attacker to crash but not take over a Mac, were apparently left unpatched.

"But that doesn't mean that they're not security bugs," said Arce.

Apple and Core disagreed over the relative severity of these two potential problems.

Editor's note: Core Securities disagrees with Apple about issues with an Apple application, iCal. The result? When Apple didn't cave to their demands, Core not only published information about two arguably non-critical vulnerabilities (the bones of contention), but they also published information on the critical issue about which there was no argument between the two companies.

Core Security crossed the line between whistle blowers and bitter, vindictive bastards with their actions...

What's your take?

SAVE $100 on the NEW iMac 24" 2.8GHz only $1,694
+ FREE Parallels 3.0, Printer and Shipping after rebate(s)!