Apple accused of hushing up security update

[Osiris]

Apple has been accused of secretly adding a security update to its operating system without telling users, or anyone else.
The update released last week included protection against a Trojan that could allow a hacker to take control of your machine. The HellRTS Trojan has been added to the Mac's list of signatures used to detect dodgy software, according to Sophos' ubiquitous Graham Cluley.
http://ad.uk.doubleclick.net/click;...ination=/welcome/remotesupport/&WT.mc_id=7082

Malware purveyors do not target Macs as much as PCs, which are more tempting because there are more of them.

Cluley claims that Mac users too often ignore security, "And that isn't helped when Apple issues an anti-malware security update like this by stealth, rather than informing the public what it has done. You have to wonder whether their keeping quiet about an anti-malware security update like this was for marketing reasons. 'Shh! Don't tell folks that we have to protect against malware on Mac OS X!'"
Cluley admits there is far less malware around for Macs but warns that continuing to ignore the potential problem could itself encourage hackers to start targeting the operating system.
He said that overall he welcomes any move to improve security but still thinks people should buy anti-virus software too. His company, Sophos, does of course sell Mac and Windows products...

Apple accused of hushing up security update ? The Register

 

[Chasingu]

I frankly don't care if they don't tell us about them adding malware defense, as long as they actually put it in. This is kind of sad for Apple because most people already know that Mac's have built in Defense to a extent.

 

[Kharn]

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-06-16-1 iTunes 9.2

iTunes 9.2 is now available and addresses the following:

ColorSync
CVE-ID: CVE-2009-1726
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: A heap buffer overflow exists in the handling of images
with an embedded ColorSync profile. Opening a maliciously crafted
image with an embedded ColorSync profile may lead to an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved validation of ColorSync profiles. Credit
to Chris Evans of the Google Security Team, and Andrzej Dyjak for
reporting this issue.

ImageIO
CVE-ID: CVE-2010-1411
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple integer overflows in the handling of TIFF
files may result in a heap buffer overflow. Opening a maliciously
crafted TIFF file may lead to an unexpected application termination
or arbitrary code execution. The issues are addressed through
improved bounds checking. Credit to Kevin Finisterre of
digitalmunition.com for reporting these issues.

WebKit
CVE-ID: CVE-2010-0544, CVE-2010-1119, CVE-2010-1387, CVE-2010-1390,
CVE-2010-1392, CVE-2010-1393, CVE-2010-1395, CVE-2010-1396,
CVE-2010-1397, CVE-2010-1398, CVE-2010-1399, CVE-2010-1400,
CVE-2010-1401, CVE-2010-1402, CVE-2010-1403, CVE-2010-1404,
CVE-2010-1405, CVE-2010-1408, CVE-2010-1409, CVE-2010-1410,
CVE-2010-1412, CVE-2010-1414, CVE-2010-1415, CVE-2010-1416,
CVE-2010-1417, CVE-2010-1418, CVE-2010-1419, CVE-2010-1421,
CVE-2010-1422, CVE-2010-1749, CVE-2010-1758, CVE-2010-1759,
CVE-2010-1761, CVE-2010-1763, CVE-2010-1769, CVE-2010-1770,
CVE-2010-1771, CVE-2010-1774
Available for: Windows 7, Vista, XP SP2 or later
Impact: Multiple vulnerabilities in WebKit
Description: WebKit is updated to the version included in Safari 5.0
and Safari 4.1 to address several vulnerabilities, the most serious
of which may lead to arbitrary code execution. Further information is
available at http://support.apple.com/kb/HT4196


iTunes 9.2 may be obtained from:
Apple - iTunes - Download iTunes Now

For Mac OS X:
The download file is named: "iTunes9.2.dmg"
Its SHA-1 digest is: fc0cd72f63ce2a39ae24ccc6cdd00c921a8a542e

For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 36b0bab6592437bb90d3bf0c8e2475d9f707f20b

For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: fee32b82f0f9afbedfe37231b78b65083ca7c024

Information will also be posted to the Apple Security Updates
web site: Apple security updates

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJMGRhTAAoJEGnF2JsdZQeea+oH/3xaEZAZ9dHFdMR4Jf6XNokV
WY1vXIcUJRZC1B59y8He/k8Zx8Yk5axEO0QEXrPhK7CNsw9dxXfB35Svs+DH/bn9
9zniFYElsQP4gWZBbj9BcIDqEXvuLTG6aDXtZMQxo5eojCrK1esdpGPr1uEcGn9V
DGy22Kn4xJn8xKuCGhaRnP4Hi9lJ5KSkVd+ZEXN8XKsN2dKqPnzcR0Ddd6XdJn5u
Sg5WjABn6rSqBlTbqbJOopqOucU/NAyvV8y4N3KFS1bXMV/j1CV7sDsc/yilxt+x
7hPHdj0aal6PRG9v6XSrXTMIYlaDCnDBLWEeebKD1Lw7eJDlDUgobNez05L505E=
=EIP2
-----END PGP SIGNATURE-----
_______________________________________________