Apple releases Security Update 2007-004

Apple today released Security Update 2007-004 which is recommended for all users and improves the security of the following components:

• AFP Client
• AirPort
• CarbonCore
• diskdev_cmds
• fetchmail
• ftpd
• gnutar
• Help Viewer
• HID Family
• Installer
• Kerberos
• Libinfo
• Login Window
• network_cmds
• SMB
• System Configuration
• URLMount
• Video Conference
• WebDAV

More info and download links:
Security Update 2007-004 (10.3.9 Server) – 54.1MB
Security Update 2007-004 (10.3.9 Client) – 37.6MB
Security Update 2007-004 (PPC) – 9.3MB
Security Update 2007-004 (Universal) – 16.1MB

Security Update 2007-004 is available via Software Update.

45 Comments

  1. “Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.” — Bill Gates

    I sure hope Bill Gates is totally wrong here, I see too many of these security updates lately.

    Thankfully OS X market share isn’t such a big target as Windows is.

    (yea I know, I disagree)

  2. Difference is, Apple gets these updates out BEFORE these issues ever impact anyone out in the wild. Too bad M$ can’t say the same.

    No Mac in the wild has ever been “taken over totally” anyway, Bill Gates is full of sh*t (and FUD) as usual….

  3. Oh one more thing…

    For true security, you need to:

    1: Backup files, disconnect other drives.

    2: C boot from Mac OS X disk

    3: Select Disk Utility and Erase w/Zero your boot drive.

    4: Install Mac OS X, change your passwords, and immediately Software Update to the present version. (with wired connection to internet)

    5: Enable Firewall advanced options especially Stealth mode.

    6: Install apps from original sources and immediately update.

    7: Avoid apps that demand a admin password to install. 95% of exploits are application exploits. Refusing admin password limits the “hooks” and exploit potential of Mac OS X considerably.

    8: Clone your new boot config to a Zeroed external hard drive and keep seperate. Use this clone only when no other drives, including the boot drive (unless Zeroed first while C booted from a OS X boot DVD) are physically attached to the computer.

    This way nothing can “jump” over to your pristine clone.

    9: Never use your real name when registering Mac OS X, Apple puts your name everywhere.

    10: Use low level debit cards online and transfer cash from a low amount savings account.

    11: Practice “compartmentalized security” to substancially reduce risk.

    Of course there is the slight possibility your machine could be exploited remotely before the OS loads the new security updates. So wireless is definably not the way to go during this crucial period.

    It’s best to get new OS update on a disk from a secure source before doing above.

    Just because there isn’t any “OS X malware in the wild” doesn’t mean someone doesn’t have a hard on for your box.

    Don’t get me started about EFI, this is a totally unprotected powerful firmware environment.

  4. Everything you’ve said here makes sense on paper, but the reality is that OS X has been around for nearly 6 years and still has no malware. OS 7, 8, and 9 combined were around for 6 years, and EACH of them had viruses. They also had fewer users.

    Have you checked out the new malware for iPods with Linux installed on them? How many iPods do you think have Linux installed? 200? 300? A thousand? How many non-Linux iPods are there? Over a hundred million. How many viruses for them? None.

  5. Difference is, Apple gets these updates out BEFORE these issues ever impact anyone out in the wild. Too bad M$ can’t say the same.

    Right, but if Apple had the market share of Windows, the opposite would be true.

    In the Windows world, as soon as a exploit is public, it’s exploited to hell and back with hours.

    Apple has had critical exploits that went unfixed for several months and nobody really bothered.

    Why is that? Small OS X market share is the only answer.

    No Mac in the wild has ever been “taken over totally” anyway, Bill Gates is full of sh*t (and FUD) as usual….

    Of course, but he did say “can”.

    Rememeber Apple didnt fix the URL Handler exploits of Panther for several months. It was posted on Slashdot and every hacker had seen it but nobody really made any use of it.

    No botnets or viruses or anything. Why?

    Market share. It’s really hard to find a Mac OS X box out there amongst all the IP addresses of Windows machines.

    That’s what has been protecting us.

    Beleive it.

  6. Its great that Apple is paying attention to security issues. As long as humans write code, especially millions of lines of code, there will always be some sort of bugs that can lead to exploits.

    Apple keep the patches coming….

  7. According to Appleinsider, this is most of what the security patch is fixing.

    For the most part, the vulnerabilities addressed by the Mac maker’s latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.

    The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to “require a password to wake the computer from sleep.”

  8. WiseGuy – If I thought I had to do all that just to feel free to surf the net, I’d find another line of work or hobby. You must have come from the Windows world, where you had bad experiences every other day. I’m content to allow the inherent security of OSX protect me rather than to become paranoid about computer security. You’re making computering sound like not much fun.

    And you’re so wrong about the reason there haven’t been any Mac exploits. Sure, they only have 5% market share (and much higher installed base), but with all the shouting going on about Mac security you don’t think that some hacker somewhere wouldn’t just love to be the first to hack a Mac? Some guys even went so far as to fake it. Remember that not long ago, about the “hacked” wi-fi? Only it wasn’t Mac software. If it could be done easily it would have been. Count on it.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.