From: 	  crawdad@fnal.gov
	Subject:  Mac OS X required patches
	Date: 	  September 9, 2004 10:03:34 CDT
	To: 	  macusers@fnal.gov
	Cc: 	  computer_security@FNAL.GOV

Two recently-fixed Mac OS X vulnerabilities in combination, the one in
libpng and one of the ones in CoreFoundation, rise to the level of a
Fermilab Critical Vulnerability since an exploit of one followed by the
other could give an attacker control of a vulnerable system, if the
user receives and displays malicious content.

*Either* applying the older Security Update 2004-08-09 to OS X 10.2.8
or 10.3.4 *or* upgrading to 10.3.5 removes the vulnerability to
malicious PNG images.  This much is now mandatory for OS X computers on
the Fermilab network (which includes those using our VPN or dialup
service).  Please be sure one fix or the other is applied by September
24.

Applying Security Update 2004-09-07 as well is strongly recommended,
since it addresses some local privilege escalation vulnerabilities and
several remote DOS attacks.

You can check for the presence of these patches and updates either by
running "Software Update" or by lookming in /Library/Receipts for the
following package files:

SecUpd2004-08-09Pan.pkg (10.3.4 Panther) or SecUpd2004-08-09Jag.pkg
(10.2.8 Jaguar)

SecUpd2004-09-07PanM.pkg (10.3.5), SecUpd2004-09-07Pan.pkg (10.3.4), or
SecUpd2004-09-07Jag.pkg (10.2.8)

MacOSXUpdate10.3.5Patch.pkg


                Matt Crawford   <crawdad@fnal.gov>
                Fermilab Computer Security Coordinator
                +1 630 840 3461
                ** Computer security contact line: +1 630 840 2345 **