[172] in Security FYI
[Security-fyi] Mac OS X 10.2.4 security fixes
daemon@ATHENA.MIT.EDU (Albert Willis)
Thu Feb 20 15:47:50 2003
Mime-Version: 1.0
Message-Id: <p05210204ba7ab47acb0c@[18.162.0.199]>
Date: Thu, 20 Feb 2003 12:30:58 -0500
To: helpstaff@mit.edu, swrt@mit.edu
From: Albert Willis <awillis@mit.edu>
cc: security-fyi@mit.edu
cc: security-internal@mit.edu
Content-Type: multipart/mixed; boundary="===============068101139993995474=="
Errors-To: security-fyi-bounces@mit.edu
--===============068101139993995474==
Content-Type: multipart/alternative;
boundary="============_-1166360234==_ma============"
--============_-1166360234==_ma============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Last week Apple released Mac OS X 10.2.4. Besides the normal bug
fixes and enhancements, there are a number of security fixes as well.
One exploit that is fixed is the TruBlueEnvironment Privilege
Escalation Attack (CAN-2003-0088) . Here's the summary:
TruBlueEnvironment is part of the MacOS Classic Emulator. It
is setuid root and installed by default. By setting certain environment
variables, it is possible to overwrite any file on the system, or create
arbitrary files owned as root with the attacker's umask. This
vulnerability can be leveraged to create files that will get executed by
root through the cron facility.
More information on this attack can be found at
http://www.securemac.com/TruBlueEnvironment-privilege-escalation-attack.php.
Information on the other security fixes for Mac OS X 10.2.4 can be
found at http://docs.info.apple.com/article.html?artnum=61798.
Everyone who's running a version of Mac OS X 10.2 should upgrade to
Mac OS X 10.2.4. Running Software Update is the easiest way to get
the update.
You can also download a standalone updater. There are two versions of
the standalone Mac OS X 10.2.4 updater--one if you're running Mac OS
X 10.2.3 (located at
http://docs.info.apple.com/article.html?artnum=70167) and one (the
combo updater) if you're running Mac OS X 10.2, 10.2.1 or 10.2.2,
located at http://docs.info.apple.com/article.html?artnum=70168.
-- Al
--
Albert Willis
Macintosh Platform Coordinator
Software Release Team
MIT Information Systems
--============_-1166360234==_ma============
Content-Type: text/html; charset="us-ascii"
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Mac OS X 10.2.4 security fixes</title></head><body>
<div>Last week Apple released Mac OS X 10.2.4. Besides the normal bug
fixes and enhancements, there are a number of security fixes as
well.</div>
<div><br></div>
<div>One exploit that is fixed is the TruBlueEnvironment Privilege
Escalation Attack (CAN-2003-0088) . Here's the summary:</div>
<div><br></div>
<blockquote>TruBlueEnvironment is part of the MacOS Classic Emulator.
It</blockquote>
<blockquote>is setuid root and installed by default. By setting
certain environment<br>
variables, it is possible to overwrite any file on the system, or
create<br>
arbitrary files owned as root with the attacker's umask.
This<br>
vulnerability can be leveraged to create files that will get executed
by</blockquote>
<blockquote>root through the cron facility.</blockquote>
<blockquote><br></blockquote>
<div>More information on this attack can be found at
http://www.securemac.com/TruBlueEnvironment-privilege-escalation-atta<span
></span>ck.php.</div>
<div><br></div>
<div>Information on the other security fixes for Mac OS X 10.2.4 can
be found at
http://docs.info.apple.com/article.html?artnum=61798.</div>
<div><br></div>
<div>Everyone who's running a version of Mac OS X 10.2 should upgrade
to Mac OS X 10.2.4. Running Software Update is the easiest way to get
the update.</div>
<div><br></div>
<div>You can also download a standalone updater. There are two
versions of the standalone Mac OS X 10.2.4 updater--one if you're
running Mac OS X 10.2.3 (located at
http://docs.info.apple.com/article.html?artnum=70167) and one (the
combo updater) if you're running Mac OS X 10.2, 10.2.1 or 10.2.2,
located at http://docs.info.apple.com/article.html?artnum=70168.</div>
<div><br></div>
<div> -- Al</div>
<div><br></div>
<x-sigsep><pre>--
</pre></x-sigsep>
<div>Albert Willis<br>
Macintosh Platform Coordinator<br>
Software Release Team<br>
MIT Information Systems</div>
</body>
</html>
--============_-1166360234==_ma============--
--===============068101139993995474==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
_______________________________________________
Security-fyi mailing list
Security-fyi@mit.edu
http://mailman.mit.edu/mailman/listinfo/security-fyi
--===============068101139993995474==--
