Security Update 2007-006 for Apple OS X

Written by on June 23, 2007

OS X Security Update 2007-006Apple has released a security-only update for OS X. It’s the appropriately named Security Update 2007-006 as Apple has released one security update a month so far this year. This update is needed for 10.4.9 along with the just released 10.4.10. It’s also needed for 10.3.9. The security update addresses two vulnerabilities.

One is in Webcore and can allow cross-site scripting attacks.

The second patched vulnerability was in Webkit and could allow remote code execution.

The update is available through Software Update or as a standalone download and requires a reboot.

Categories: Spam Chronicles 1.0 - Tags: , ,

Apple Releases 10.4.10 for OS X

Written by on June 21, 2007

Apple has released OS X version 10.4.10. While it contains several enhancements and fixes for the operating system it also includes one security related update. This security update keeps Apple in the one-a-month category for security updates to OS X.

This security vulnerability is described by Apple as:

…the reception of specially crafted IPv6 packets may lead to a reduction in network bandwidth.

This is a relatively low risk vulnerability as it doesn’t include a potential loss of data and doesn’t allow the installation of malicious software. The update also includes security patches released since 10.4.9.

The update is available through the Software Update feature of OS X or as a standalone download. The Intel version of the update is a 49MB download when done through Software Update (click the thumbnail to see notification full size). The update is also available as a standalone installer in four forms. There are downloads for the Power PC (PPC) and Intel CPUs. Then each CPU has a “delta” update which requires that 10.4.9 already be applied and a much larger “combo” update which includes all previous updates to OS X 10.4.

I applied the update to two Intel Macs without incident. Like previous updates the first reboot after the patch is significantly longer than usual.

Categories: Spam Chronicles 1.0 - Tags: , ,

Apple TV Security Update

Written by on June 20, 2007

Apple has released their first security update for Apple TV. According the bulletin a remote attacker can cause a denial of service attack or arbitrary code execution.

This patches the same flaw that was plugged in OS X last month.

At first I thought this was interesting but probably not a problem. Apple TV’s seem limited in what they can do plus they usually reside on a home network behind a NAT router. Apparently this isn’t entirely true and will become even less true as features such as viewing YouTube videos and (maybe) movie rentals are added to Apple TV. Plus the vulnerability exists in UPnP IDG (Universal Plug ‘n Play Internet Device Gateway) which is used by many NAT routers to enable devices like Apple TV to get on the Internet. At least one security researcher was quoted as saying this is a serious flaw.

The update is only available through Apple TV’s self-update feature. Apple TV checks for updates on a weekly schedule so it may be up to a week before it receives the update. You can also manually trigger the update by selecting Settings -> Update Software from the menu.

After applying the update the software version will be 1.1. You can check the version by selecting Settings -> About from the menu.

Categories: Spam Chronicles 1.0 - Tags: ,

Disabling Snap Shots Website Preview

Written by on June 20, 2007

Snap Shots are the preview popups that appear when you when you mouse over a URL on some websites or blogs. They seem to be gaining in popularity on some blogs. They function like Intellitxt Ads but they aren’t advertising and they’re controlled by the site owner.

Even though they aren’t advertising some of us find it annoying to have something popup while we’re reading a web page.

The Snap FAQ includes a link and instructions for disabling them. Deactivation requires you to reload the page or clear your cache to take effect. In addition, a cookie is needed for the deactivation so cookies must be enabled.

Some websites may have the ability to opt-in so you can turn Snap Shots off or on for the site. I’ve also seen the option to disable right on some of the Snap popup windows.

The Snap Shots do seem to serve a potentially useful purpose. My own view is they pop up at the worst time and are more annoyance than benefit. Do you find them useful?

Categories: Spam Chronicles 1.0 - Tags: ,

Spam Counts for Week Ending June 17, 2007

Written by on June 17, 2007

My GMail 30-day spam count was up 5 (less than 2%) to 303 spam messages in the last 3o days. The second GMail account has stopped receiving phishing emails.

The bad news is I’ve picked up a couple new spam sources. The email address for my ISP (DSL provider) account received four spam emails this past week. This address is one I’ve literally never used. I’ve always used aliases and forwarders rather than ever giving out the actual email address. Based on the other email addresses in the header for a couple of them it looks like they were just spamming a whole sequence of email addresses.

I addition, it looks like the hosting provider ip01-webhost.net spams Whois contact addresses. I use private registration and this past week I received 4 forwarded emails from them with promotional offers. McAfee site advisor has one complaint about them spamming Whois addresses. What’s interesting is that they include the notice:

iP01-webhost.net does not send or support unsolicited email, this email is sent to you because you have been exclusively selected and invited to receive iP01′s services.

They clearly send unsolicited email since I never contacted them. Listing in Whois is hardly “exclusive” and since that’s the only place that email address exists (other than my registrar) there’s little doubt about their selection method. So far it’s only been one email per domain so it’s not egregious, but I don’t think I’d want to do business with a company that starts off playing so loose with their own declared policies.

Website comment spam dropped drastically this week. There were only 671 attempts which is a drop of 73% from the previous weeks 2,458 attempts. Spam Karma caught them all. That’s still an average of 95 attempts a day. The lifetime total for The OS Quest has hit five figures and is now at 10,155.

Comment spam at the Spam Chronicles remains low. There were 6 attempts this week. down 1 from the previous week. The lifetime total for the Spam Chronicles is 210.

Categories: Spam Chronicles 1.0 - Tags:

« Previous Page
Next Page »