SANS ISC: Apple Updates the Update - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Today, Apple release Version 1.1 of its 2006-002 patch which was released on Monday.
Read more about it here: Apple 2006-002 v1.1

This time, Apple only lists the patched components (php, CoreTypes, LaunchServices, Mail, rsync, Safari).
The update includes all the fixes released in the initial Apple 2006-002 an -001 patch.

Based on the included compents, I believe that this patch will address some of the missed issues in open source packages (rsync and php) which I elluded to in Tuesday's webcast. In addition, the patch will likely fix more issues related to the "safe file execution" problem.

We may update this diary later in case Apple releases any details. A couple words about mitigation:

• rsync: by default rsync does not run as a server on OS X, so you should be ok with respect to simple remote exploits. Recent rsync vulnerabilities required the user to be logged in.
  
• php: only an issue if you have Apache with php default enabled. By default, apache is not enabled, and Apple does not load php in its default httpd.conf. Recent vulnerabilities in php, which are likely addressed in this update, protect against local users overstepping restrictions provided by php safe_mode. This is likely a "must apply" patch if you provide shared web hosting with php support. Of course, validating the patch is in particular tricky in such an environment.
• "Safe file execution": You should keep this option disabled in Safari. Keeping a wrapper around 'terminal' or protecting terminal from execution by untrusted users via the parental controls is another appropriate workarround if it does not restrict your users too much.

Would be nice to have a few more details from Apple. For home users: Apply the patch as soon as you can. At this point, Apple does not appear to offer the patches in distinct packages, which will make testing in larger environments tricky.

Some Apple users report in this forum about experiencing network issues after applying 2006-002, which disapeard after applying 2006-002v1.1. See other threads in the same forum for reports of issues like system crashes and systems no longer booting correctly. Apple has not confirmed any problems with this update so far.



I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019