Security Bytes: Exploits targeting freshly patched Apple flaw
Apple patches nearly two dozen holes in OS X, but not before exploits are unleashed. Plus McAfee fixes a critical flaw and EMC gets the OK to buy RSA.
Apple Computer Inc. has released several security updates for its Mac OS X operating system, several of which are critical and involve remote code execution.
The most pressing issue is a flaw in the fetchmail email retrieval utility, for which the SANS Internet Storm Center (ISC) reports that exploits are already available. SANS has not yet released details about the exploits, but the patch corrects an issue that could lead to arbitrary code execution when fetching mail from a malicious POP3 mail server. Apple said the fix updates fetchmail to version 6.3.4 and no longer distributes it as a privileged utility.
Of the 21 updates, SANS labeled five as critical. Other than the fetchmail problem, they include:
The problems affect Mac OS X and Mac OS X Server 10.3.9 and 10.4.7. The updates, can be downloaded and installed using Apple's Software Update utility or directly from Apple's Web site.
McAfee fixes flaw in consumer software, releases 'Falcon'
McAfee Inc. has issued a bulletin for a remote code execution flaw in its consumer security software. One of the industry's biggest vendors, the Santa Clara, Calif.-based firm has issued an advisory for its SecurityCenter product. SecurityCenter is its consumer security management suite that includes versions of its VirusScan, Personal Firewall Plus, Privacy Service, SpamKiller and other applications.
"This attack requires the end-user to perform certain actions in order to be exploited," McAfee said in its bulletin. "For example, receiving an email from an untrusted source and clicking on a URL. A successful exploit of the security flaw would allow an attacker to remotely execute arbitrary code on the machine running the indicated software. These arbitrary commands would be limited to the privileges of the user which the product is running as on the machine. In order to accomplish this exploit, a user would have to force internet explorer to render a malicious web page which has been generated by the attacker. The attack requires reverse engineering of the software as well as the assistance of the user."
Security firm eEye Digital Security reported the vulnerability to McAfee last month. McAfee's patch updates SecurityCenter versions 4.3 through 6.0.22.
Additionally, McAfee Tuesday released its new suite of integrated consumer protection offerings. The products, which come in four different packages, are meant to not only better integrate protection against multiple types of threats, but also compete against a rival product suite from Microsoft, Windows Live OneCare, and Symantec's upcoming Norton 360 product.
Government approves EMC-RSA deal
Hopkinton, Mass.-based storage giant EMC Corp. has received approval from the U.S. Federal Trade Commission to proceed with its acquisition of security vendor RSA Security Inc.
EMC's purchase of RSA, costing just under $2.1 billion in cash or about $28.00 per share, was announced June 29. Numerous vendors were reportedly in the bidding for Bedford, Mass.-based RSA amid speculation of an impending buyout. It was believed the identity and access management vendor, known largely for its popular security conference and its SecurID smart card tokens, was debating whether to sell while its value may be at its peak, or stay the course and gamble that a growth strategy dependant on acquisitions can succeed.