Apple and McAfee release major security updates
Takeaway: Apple Computer has released a major security update that patches 26 flaws. Meanwhile McAfee has released an update to patch holes in its own security software. John McCormick has the details about these and other security issues in this edition of the IT Locksmith.
Apple has fixed a slew of security holes, many of which contained remote code execution threats, in its latest update. Meanwhile, McAfee has patched holes in its own security software.
Details
Apple Computer has released a major security update for its Mac OS X operating systems. The patches fix—among other issues—17 remote code execution vulnerabilities.
It's vital that Mac users apply this patch. The vulnerabilities it addresses are extremely worrying because some are well-known.
The security update patches a total of 26 security flaws, many of which affect both the client and server versions of the operating system. Apple released Security Update 2006-004 to address the issues. This update includes a patch to strengthen Bluetooth.
However, what I find more worrisome are the threats that I thought the company had dealt with long ago. A prime example is the Fetchmail flaw (CVE-2005-2335, CVE-2005-3088, CVE-2005-4348, and CVE-2006-0321). The CVEs for this vulnerability indicate that we've known about some of these threats for some time.
We all understand the importance of diligent monitoring and patching, but what can you do when security flaws endanger your system because they exist in security software that you've purchased to protect your system? That's the dilemma faced by IT pros when we find out that the software we depend on most—security software—contains serious or even critical vulnerabilities. This time it's McAfee on the hot seat, but Symantec and other security firms have earned the same sort of black eye in the past.
Users of McAfee's SecurityCenter software, which includes VirusScan, Total Protection, and the Internet Security Suite, need to upgrade immediately to SecurityCenter 7.0. Most McAfee security software contains the flaws just patched in SecurityCenter.
The vulnerability is highly critical because it can allow remote code execution. In addition, this is a consumer product, and most mainstream users are less likely to maintain its security in a timely fashion.
Many remote users and road warriors may be running this software, and smaller companies may even have it installed on some office systems. The good news, however, is that McAfee reports no known attacks yet. The problems affect SecurityCenter version 4.3 through version 6.0.22, so older versions are definitely at risk.
eEye, the security company that discovered and reported the flaw to McAfee, also notified McAfee of another critical remote code execution threat related to the company's Common Management Agent for versions prior to 3.5.5.438. The security company published that advisory on July 13, after a patch was available.
Final word
As security software grows ever more complex, we must ask the question of whether we're more secure with or without this software. Unfortunately, there's no easy answer.
Personally, I shy away from automatic patches except for virus signature downloads. Of course, even this approach doesn't always protect you. Regarding the McAfee instance, the vulnerability has been around for quite a while, but only discovered recently.
As for Apple, come on guys: Weren't a lot of these "new" security holes fixed long ago in BSD? If you're going to say your software is more secure because of its open source roots, shouldn't you be keeping track of open source threats and fixes? Otherwise, what's the point?
Also watch for…
- Is it the wave of the future? U.K.-based Barclays Bank is among the first to really tackle online security by issuing hand-held card readers to authenticate more than 1.5 million active online customers—and not just business customers. I expect other banks to soon follow the example.
- South Korea is taking an activist stand to protect citizens by asking Google to remove Korean resident registration numbers for nearly 100,000 people. Used for identity theft, these numbers are the rough equivalent of U.S. Social Security numbers.
- Finally, a recent survey surprisingly shows that more than half of home users secure their Wi-Fi networks—probably as good a record as many small to midsize businesses, based on my own wardriving experiences. Perhaps home users are cautious because they've often used others' unsecured systems?
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.
SponsoredWhite Papers, Webcasts, and Downloads
- Strategies for Centralizing Data Backup Riverbed
- 5 Steps to Successful IT Consolidation Riverbed
- Accelerating Virtualized Environments Riverbed
- Economist Intelligence Unit whitepaper: "Enterprise Knowledge Workers: Understanding Risks and Opportunities" SAP
- The Road Ahead for Business Process Management SAP
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
