goo blog サービス終了のお知らせ 

Masaca's Blog 2

独り言・日記・愚痴・戯言・備忘録・・・。なんとでもお呼び下され(笑)。

iPhone OS 2.2 and iPhone OS for iPod touch 2.2

2008-11-21 21:51:00 | Apple
iPhone OS 2.2 and iPhone OS for iPod touch 2.2がiTunes経由で出ています。以下、Apple Product Securityからのメールを引用。
iPhone OS 2.2 and iPhone OS for iPod touch 2.2 277.7 MB

APPLE-SA-2008-11-20 iPhone OS 2.2 and iPhone OS for iPod touch 2.2

iPhone OS 2.2 and iPhone OS for iPod touch 2.2 is now available and addresses the following issues:

CoreGraphics
CVE-ID: CVE-2008-2321
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue.

ImageIO
CVE-ID: CVE-2008-2327
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images.

ImageIO
CVE-ID: CVE-2008-1586
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected device reset
Description: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset. This update addresses the issue by limiting the amount of memory allocated to open a TIFF image. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

Networking
CVE-ID: CVE-2008-4227
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: The encryption level for PPTP VPN connections may be lower than expected
Description: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences. Credit to Stephen Butler of the University of Illinois of Urbana-Champaign for reporting this issue.

Office Viewer
CVE-ID: CVE-2008-4211
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue in Office Viewer's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the affected index values are not negative. Credit: Apple.

Passcode Lock
CVE-ID: CVE-2008-4228
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Emergency calls are not restricted to emergency numbers
Description: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner. This update addresses the issue by restricting emergency calls to a limited set of phone numbers.

Passcode Lock
CVE-ID: CVE-2008-4229
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Restoring a device from backup may not re-enable the Passcode Lock
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored from backup. This may allow a person with physical access to the device to launch applications without the passcode. This update addresses the issue by improving the system's ability to recognize missing preferences. This issue does not affect systems prior to iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to Nolen Scaife for reporting this issue.

Passcode Lock
CVE-ID: CVE-2008-4230
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Short Message Service (SMS) messages may be revealed before the passcode is entered
Description: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the "Show SMS Preview" preference was set to "OFF". This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.

Safari
CVE-ID: CVE-2008-4231
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of HTML table elements. Credit to Haifei Li of Fortinet's FortiGuard Global Security Research Team for reporting this issue.

Safari
CVE-ID: CVE-2008-4232
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Websites with embedded iframe elements may be vulnerable to user interface spoofing
Description: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing. This update addresses the issue by not allowing iframe elements to display content outside their boundaries. This issue does not affect systems prior to iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to John Resig of Mozilla Corporation for reporting this issue.

Safari
CVE-ID: CVE-2008-4233
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Visiting a maliciously crafted website may initiate a phone call without user interaction
Description: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user's ability to cancel dialing for a short period of time. This update addresses the issue by properly dismissing Safari's call approval dialog when an application is being launched via Safari. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue.

Webkit
CVE-ID: CVE-2008-3644
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1
Impact: Sensitive information may be disclosed to a person with physical access to an unlocked device
Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.

Installation note:

This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "don't install" will present the option the next time you connect your iPhone or iPod touch.

The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer.

To check that the iPhone or iPod touch has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "2.2 (5G77)" or later

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

QuickTime H.264 互換性アップデート

2008-11-19 22:29:11 | Apple
QuickTime H.264 互換性アップデート 7.5.5がソフトウェアアップデート経由で出ています。
QuickTime H.264 互換性アップデート 7.5.5 3.3 MB
このアップデートにより、iChat との QuickTime の互換性が向上します。

Safari 3.2 アップデート

2008-11-14 07:22:01 | Apple
Safari 3.2がソフトウェアアップデート経由で出ています。
Safari 3.2 39.9 MB
このアップデートをすべての Safari ユーザに推奨します。このアップデートにより、フィッシング詐欺 Web サイトからの保護が提供され、オンラインビジネスの識別が向上します。このアップデートには、最新のセキュリティアップデートも含まれています。

このアップデートのセキュリティ関連の内容について詳しくは、次の Web サイトを参照してください:http://support.apple.com/kb/HT1222?viewlocale=ja_JP
以下、Apple Product Securityからのメールを引用。
APPLE-SA-2008-11-13 Safari 3.2

Safari 3.2 is now available and addresses the following issues:

Safari
CVE-ID: CVE-2005-2096
Available for: Windows XP or Vista
Impact: Multiple vulnerabilities in zlib 1.2.2
Description: Multiple vulnerabilities exist in zlib 1.2.2, the most serious of which may lead to a denial of service. This update addresses the issues by updating to zlib 1.2.3. These issues do not affect Mac OS X systems. Credit to Robbie Joosten of bioinformatics@school, and David Gunnells of the University of Alabama at Birmingham for reporting these issues.

Safari
CVE-ID: CVE-2008-1767
Available for: Windows XP or Vista
Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ This issue does not affect Mac OS X systems that have applied Security Update 2008-007. Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security Team for reporting this issue.

Safari
CVE-ID: CVE-2008-3623
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in CoreGraphics' handling of color spaces. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.

Safari
CVE-ID: CVE-2008-2327
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. This issue is addressed in systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11 systems that have applied Security Update 2008-006. Credit: Apple.

Safari
CVE-ID: CVE-2008-2332
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exits in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. This issue is addressed in systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11 systems that have applied Security Update 2008-006. Credit to Robert Swiecki of the Google Security Team for reporting this issue.

Safari
CVE-ID: CVE-2008-3608
Available for: Windows XP or Vista
Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of ICC profiles. This issue is addressed in systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11 systems that have applied Security Update 2008-006. Credit: Apple.

Safari
CVE-ID: CVE-2008-3642
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. This issue does not affect Mac OS X systems that have applied Security Update 2008-007. Credit: Apple.

Safari
CVE-ID: CVE-2008-3644
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Sensitive information may be disclosed to a local console user
Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.

WebKit
CVE-ID: CVE-2008-2303
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

WebKit
CVE-ID: CVE-2008-2317
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to an anonymous researcher working with the TippingPoint Zero Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2008-4216
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
Description: WebKit's plug-in interface does not block plug-ins from launching local URLs. Visiting a maliciously crafted website may allow a remote attacker to launch local files in Safari, which may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Credit to Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this issue.


Safari 3.2 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/


Safari for Mac OS X v10.5.5
The download file is named: "Safari3.2Leo.dmg"
Its SHA-1 digest is: 540668ffd5e3a4727720b8687e05f7c43908424a

Safari for Mac OS X v10.4.11
The download file is named: "Safari3.2Ti.dmg"
Its SHA-1 digest is: 463619e89f421eceaed32ea5e9a48891ad8fdb4e

Safari for Windows XP or Vista
The download file is named: "SafariSetup.exe"
Its SHA-1 digest is: 38be6fb56f20de8c312956cd0df40d39584bce53

Safari+QuickTime for Windows XP or Vista
The file is named: "SafariQuickTimeSetup.exe"
Its SHA-1 digest is: 6da9ca61479ce287cea476617253f6a93cbc6aa8

Information will also be posted to the Apple Security Updates web site:http://support.apple.com/kb/HT1222

デジタルカメラRAW互換アップデート 2.3

2008-11-12 21:13:43 | Apple
デジタルカメラRAW互換アップデート 2.3がソフトウェア・アップデート経由で出ています。
デジタルカメラRAW互換アップデート 2.3 4.3 MB
このアップデートは、Aperture 2 および iPhoto ’08 の RAW ファイル互換性を拡張し、以下のカメラに対応します:

Canon EOS 50D
Nikon D90
Sony DSLR-A900
Nikon Coolpix P6000
また、このアップデートは、特定のカメラおよび全体的な安定性に関連する問題を解決します。

iPhoto アップデート 7.1.5

2008-10-28 08:59:42 | Apple
iPhoto アップデート 7.1.5がソフトウェア・アップデート経由で出ています。
iPhoto アップデート 7.1.5 10.9 MB
このアップデートにより、iPhoto プリントサービスで注文したブック、カード、およびカレンダーの印刷品質が向上します。


AirMac Extreme アップデート2008-004 1.0

2008-10-26 06:46:05 | Apple
AireMac Extreme アップデート 2008-004 1.0がソフトウェア・アップデート経由で出ています。
AirMac Extreme アップデート 2008-004 1.0 2.2 MB
Mac OS 10.5.5 が動作している Intel プロセッサ搭載のすべての Macintosh コンピュータを対象に、このアップデートの適用を推奨します。このアップデートは、大規模な Wi-Fi ネットワークでのローミング時の AirMac 接続に関するいくつかの問題を解決します。



AirMac Extreme アップデート2008-003 1.0

2008-10-22 06:22:51 | Apple
AireMac Extreme アップデート 2008-003 1.0がソフトウェア・アップデート経由で出ています。
AirMac Extreme アップデート 2008-003 1.0 2.0 MB
Mac OS 10.5.5 が動作している Intel プロセッサ搭載のすべての Macintosh コンピュータを対象に、このアップデートの適用を推奨します。このアップデートは、大規模な Wi-Fi ネットワークでのローミング時の AirMac 接続に関するいくつかの問題を解決します。


移行およびDVD/CD共有アップデート1.1

2008-10-17 09:04:46 | Apple
移行およびDVD/CD共有アップデート1.1がソフトウェア・アップデート経由で出ています。
移行およびDVD/CD共有アップデート 1.1 11.1 MB
すべてのユーザにこのソフトウェアを推奨します。このソフトウェアにより、FireWire、Ethernet、およびワイヤレスネットワーク経由の移行における、カスタマイズ機能が強化され、パフォーマンスが向上します。

このアップデートの詳細については、こちらを参照してください:http://support.apple.com/kb/HT3174?viewlocale=ja_JP


近く新型MacBook発表か?

2008-10-10 19:56:42 | Apple

なんてこったいです…

Appleが10月14日(現地時間; 日本時間では15日未明)に、招待者限定のホールイベントを開催するんだとか…。しかも、そのお題目が
The spotlight turns to notebooks.
完全にMacBook/MacBook Pro路線のリニューアルを予告しています。最近ウワサで持ちきりのアルミ筐体MacBookとか、アルミ削り出し製造工程「Brick」で製造された筐体を採用した新しいMacBook/MacBook Proとか、いろいろと前情報がある中でのアナウンスですから、かなり確度が高いような気がします。

…え?で、どうして「なってこったい」なのかって?そりゃもう、つい先日、今度の長期米国出張のために持参するMacBookを発注してもらったばかりだからです。本当にタイミング最悪というか何というか…
  • アップル、10月14日に「ノートブック」製品 発表イベントを開催 - Engadget Japanese
  • アップルのプレスイベント、MacBook中心で新機種登場は見込み薄--Piper Jaffray:ニュース - CNET Japan
  • Apple、10月14日に新ノートPCを発表 - ITmedia News

    • Security Update 2008-007 1.0

    2008-10-10 06:30:19 | Apple
    Security Update 2008-007がソフトウェア・アップデート経由で出ています。
    Security Update 2008-007 1.0 31.1 MB
    すべてのユーザに、Security Update 2008-007 を適用して、Mac OS X のセキュリティを強化することを推奨します。これまでの改良箇所も今回のセキュリティアップデートに含まれています。

    このアップデートのセキュリティに関する内容について詳しくは、次の Web サイトを参照してください:http://support.apple.com/kb/HT1222?viewlocale=ja_JP
    以下、Apple Product Securityからのメールを項目のみ引用。
    APPLE-SA-2008-10-09 Security Update 2008-007

    Security Update 2008-007 is now available and addresses the following issues:

    Apache
    CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364
    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Multiple vulnerabilities in Apache 2.2.8

    Certificates
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Root certificates have been updated

    ClamAV
    CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914
    Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5
    Impact: Multiple vulnerabilities in ClamAV 0.93.3

    ColorSync
    CVE-ID: CVE-2008-3642
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

    CUPS
    CVE-ID: CVE-2008-3641
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user

    Finder
    CVE-ID: CVE-2008-3643
    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: A file on the Desktop may lead to a denial of service

    launchd
    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Applications may fail to enter a sandbox when requested

    libxslt
    CVE-ID: CVE-2008-1767
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

    MySQL Server
    CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079
    Available for: Mac OS X Server v10.5.5
    Impact: Multiple vulnerabilities in MySQL 5.0.45

    Networking
    CVE-ID: CVE-2008-3645
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: A local user may obtain system privileges

    PHP
    CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5
    Impact: Multiple vulnerabilities in PHP 4.4.8

    Postfix
    CVE-ID: CVE-2008-3646
    Available for: Mac OS X v10.5.5
    Impact: A remote attacker may be able to send mail directly to local users

    PSNormalizer
    CVE-ID: CVE-2008-3647
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution

    QuickLook
    CVE-ID: CVE-2008-4211
    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution

    rlogin
    CVE-ID: CVE-2008-4212
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login

    Script Editor
    CVE-ID: CVE-2008-4214
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: A local user may gain the privileges of another user that is using Script Editor

    Single Sign-On
    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: The sso_util command now accepts passwords from a file

    Tomcat
    CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461
    Available for: Mac OS X Server v10.5.5
    Impact: Multiple vulnerabilities in Tomcat 6.0.14

    vim
    CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294
    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
    Impact: Multiple vulnerabilities in vim 7.0

    Weblog
    CVE-ID: CVE-2008-4215
    Available for: Mac OS X Server v10.4.11
    Impact: Access control on weblog postings may not be enforced

    Security Update 2008-007 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

    For Mac OS X v10.5.5
    The download file is named: "SecUpd2008-007.dmg"
    Its SHA-1 digest is: 2e2489a223d13e9d7b9928735b6693ab0cbe6e00

    For Mac OS X Server v10.5.5
    The download file is named: "SecUpdSrvr2008-007.dmg"
    Its SHA-1 digest is: 62db4a0d0688bc047fcf391a20e23e1a72ae292c

    For Mac OS X v10.4.11 (Intel)
    The download file is named: "SecUpd2008-007Intel.dmg"
    Its SHA-1 digest is: 810167ffc3480a897f0b3ef62fdaaed2cfd77f1a

    For Mac OS X v10.4.11 (PPC)
    The download file is named: "SecUpd2008-007PPC.dmg"
    Its SHA-1 digest is: 2e1253241cec2999c8754db40816f801ad80ad8b

    For Mac OS X Server v10.4.11 (Universal)
    The download file is named: "SecUpdSrvr2008-007Univ.dmg"
    Its SHA-1 digest is: 7c71ffd314d7412dcb73746151d4fd7c32749415

    For Mac OS X Server v10.4.11 (PPC)
    The download file is named: "SecUpdSrvr2008-007PPC.dmg"
    Its SHA-1 digest is: be0868a142a9e2a6e93d42c3208ca9585a25cc6d

    Information will also be posted to the Apple Security Updates web site:http://support.apple.com/kb/HT1222


    iTunes 8.0.1 アップデート

    2008-10-04 06:49:40 | Apple
    iTunes 8.0.1 アップデートがソフトウェア・アップデート経由で出ています。
    iTunes 8.0.1 58.5 MB
    iTunes 8 には、ライブラリの中から同じテイストの曲を自動的に選択してプレイリストを作成する Genius 機能が含まれています。また、Genius 機能の一部である Genius サイドバーでは、iTunes Store の中からまだお持ちでない曲をお勧めします。

    iTunes 8 を使って、新しいグリッド表示でアーティストとアルバムをブラウズしましょう。iTunes Store からお気に入りのテレビ番組を HD 品質でダウンロードしましょう。メディアを iPod nano(第四世代)、iPod classic(120 GB)、および iPod touch(第二世代)と同期しましょう。そして、魅力あふれる新しいミュージックビジュアライザを楽しみましょう。

    iTunes 8 および iTunes U は、お使いの Mac 上で VoiceOver を使ってアクセスできるようになりました。

    iTunes 8.0.1 では、安定性とパフォーマンスが向上し、以下を含む多数の重要な不具合の修正が提供されています。

  • 新規 Genius プレイリストの作成時に、現在の曲をシームレスに再生します。
  • iPod nano への読み上げメニューの同期機能が向上します。
  • ダウンロード時に HD TV エピソードが削除される問題を解決します。
  • App Store からのアップデートの確認機能が向上します。
  • VoiceOver を使用したユーザ補助機能が向上します。
  • iPod への Genius の結果の同期で生じる問題を解決します。


    • Java for Mac OS X 10.4, Release 7

    2008-09-25 06:35:02 | Apple
    Java for Mac OS X 10.4, Release 7がソフトウェア・アップデート経由で出ているようです。
    以下、Apple Product Securityからのメールを引用。
    APPLE-SA-2008-09-24 Java for Mac OS X 10.4, Release 7

    Java for Mac OS X 10.4, Release 7 is now available and addresses the following issues:

    Java
    CVE-ID: CVE-2008-3637
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message
    Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue.

    Java
    CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1195, CVE-2008-1196, CVE-2008-3104, CVE-2008-3107, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
    Impact: Multiple vulnerabilities in Java 1.4.2_16
    Description: Multiple vulnerabilities exist in Java 1.4.2_16, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.4 to version 1.4.2_18. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html

    Java
    CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, CVE-2008-3103, CVE-2008-3104, CVE-2008-3107, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
    Impact: Multiple vulnerabilities in Java 1.5.0_13
    Description: Multiple vulnerabilities exist in Java 1.5.0_13, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.5 to version 1.5.0_16. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

    Java for Mac OS X 10.4, Release 7 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

    The download file is named: "JavaForMacOSX10.4Release7.dmg"
    Its SHA-1 digest is: 67d17ba3e854101d890633f507b4c02e031b3a05

    Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

    Java for Mac OS X 10.5 アップデート 2 1.0

    2008-09-25 06:34:12 | Apple
    Java for Mac OS X 10.5 アップデート 2 1.0がソフトウェア・アップデート経由で出ています。
    Java for Mac OS X 10.5 アップデート 2 1.0 136 MB
    Java for Mac OS X 10.5 アップデート 2 によって、Mac OS X 10.5.4 以降で動作する Java SE 6、J2SE 5.0、および J2SE 1.4.2 の信頼性と互換性が向上します。このリリースによって、Java SE 6 はバージョン 1.6.0_07 に、 J2SE 5.0 はバージョン 1.5.0_16 に、 J2SE 1.4.2 は 1.4.2_18 にアップデートされます。

    このアップデートについて詳しくは、この Web サイトを参照してください:http://support.apple.com/kb/HT2733?viewlocale=ja_JP
    以下、Apple Product Securityからのメールを引用。
    APPLE-SA-2008-09-24 Java for Mac OS X 10.5 Update 2

    Java for Mac OS X 10.5 Update 2 is now available and addresses the following issues:

    Java
    CVE-ID: CVE-2008-3638
    Available for: Mac OS X v10.5.4 and later, Mac OS X Server v10.5.4 and later
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This is an Apple-specific issue. Credit to Nitesh Dhanjani and Billy Rios for reporting this issue.

    Java
    CVE-ID: CVE-2008-3637
    Available for: Mac OS X v10.5.4 and later, Mac OS X Server v10.5.4 and later
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue.

    Java
    CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1195, CVE-2008-1196, CVE-2008-3104, CVE-2008-3107, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114
    Available for: Mac OS X v10.5.4 and later, Mac OS X Server v10.5.4 and later
    Impact: Multiple vulnerabilities in Java 1.4.2_16
    Description: Multiple vulnerabilities exist in Java 1.4.2_16, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.4 to version 1.4.2_18. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html

    Java
    CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, CVE-2008-3103, CVE-2008-3104, CVE-2008-3107, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115
    Available for: Mac OS X v10.5.4 and later, Mac OS X Server v10.5.4 and later
    Impact: Multiple vulnerabilities exist in Java 1.5.0_13
    Description: Multiple vulnerabilities in Java 1.5.0_13, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.5 to version 1.5.0_16. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

    Java
    CVE-ID: CVE-2008-3103, CVE-2008-3104, CVE-2008-3105, CVE-2008-3106, CVE-2008-3107, CVE-2008-3109, CVE-2008-3110, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115
    Available for: Mac OS X v10.5.4 and later, Mac OS X Server v10.5.4 and later
    Impact: Multiple vulnerabilities in Java 1.6.0_05
    Description: Multiple vulnerabilities exist in Java 1.6.0_05, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.6 to version 1.6.0_07. Further information is available via the Sun Java website at http://java.sun.com/javase/6/webnotes/ReleaseNotes.html

    Java
    Available for: Mac OS X v10.5.4 and later, Mac OS X Server v10.5.4 and later
    Impact: Limited ability of applications to use stronger cryptographic keys
    Description: The default jurisdiction policy distributed with Java 1.5 on Mac OS X v10.5 restricts the maximum strength of cryptographic keys supported in Java Cryptography Extension (JCE) to 128 bits. This update addresses the issue by changing the default jurisdiction policy to the unlimited strength version. Credit to Bruno Harbulot of the University of Manchester for reporting this issue.

    Java for Mac OS X 10.5 Update 2 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

    The download file is named: "JavaForMacOSX10.5Update2.dmg"
    Its SHA-1 digest is: 5b2a8de347fe68d0638bcf0ede8a71ba35adbab9

    Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222


    Apple 超コンパクト USB 電源アダプタ交換プログラム

    2008-09-20 18:17:24 | Apple
    Apple iPhone 3Gに付属する超コンパクトUSB電源アダプタがリコールされているようです。以下、Apple 超コンパクト USB 電源アダプタ交換プログラムの記載を引用。
    Apple 超コンパクト USB 電源アダプタ交換プログラム

    安全性に関する重要なお知らせ

    本日、アップルは Apple 超コンパクト USB 電源アダプタ交換プログラムを発表いたしました。

    アップルでは、特定の状況下において Apple 超コンパクト USB 電源アダプタのプラグ部分(金属製の差し込み部分)が外れて電源コンセント内に残り、それによって感電の原因となる可能性があることを確認いたしました。販売済み製品のごく一部にこの問題が発生したとの報告がありましたが、それによって人体に危害がおよんだという報告は現時点では入っておりません。

    超コンパクト USB 電源アダプタは、下記の国で販売されたすべての iPhone 3G に付属しています。また、アクセサリとして別途ご購入いただいた場合もあります。
  • 米国
  • 日本
  • カナダ
  • メキシコ
  • 中南米諸国(詳しくはこちらをクリックしてください)

    注:上記以外の国で販売された初代 iPhone または iPhone 3G に付属の Apple USB 電源アダプタには問題はありません。

    アップルにとってお客様の安全は最優先事項です。したがいまして、すべての超コンパクト電源アダプタを新設計の電源アダプタに無償交換させていただくことにいたしました。

    超コンパクト電源アダプタをお使いのお客様は、新設計の超コンパクト電源アダプタとの交換が完了するまで、ただちに電源アダプタの使用を中止していただきますようお願いいたします。

    当面は、お使いの iPhone 3G を USB ケーブルでコンピュータに接続するか、または通常サイズの Apple USB 電源アダプタ(プラグ部分が折り畳み式になっているもの)を使って充電してください。
    • iPhone 3Gをご利用の方は、交換方法などを当該ページにて直接ご確認ください。

    Apple Remote Desktop 3.2.2 クライアントアップデート

    2008-09-17 06:34:56 | Apple
    Apple Remote Desktop クライアントアップデート 3.2.2がソフトウェア・アップデート経由で出ています。
    Apple Remote Desktop クライアントアップデート 3.2.2 4.4 MB
    3.2.2 アップデートは、全体的な信頼性とセキュリティに関するいくつかの問題を解決します。すべての Apple Remote Desktop クライアントにこのアップデートを推奨します。
    このアップデートの詳細については、こちらを参照してください:http://support.apple.com/kb/HT2691?viewlocale=ja_JP
    以下、Apple Product Securityからのメールを引用。
    APPLE-SA-2008-09-16 Apple Remote Desktop 3.2.2

    Apple Remote Desktop 3.2.2 is now available and addresses the following issue:

    Apple Remote Desktop
    CVE-ID: CVE-2008-2830
    Available for: Apple Remote Desktop 3.2.1, Mac OS X v10.3 through v10.5.5, Mac OS X Server v10.3 through v10.5.5
    Impact: A local user may execute commands with elevated privileges unless Security Update 2008-005 has been installed
    Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. This update mitigates the issue for Apple Remote Desktop by disabling scripting of ARDAgent. This issue does not affect systems that have installed Security Update 2008-005. Credit to Charles Srstka for reporting this issue.

    Apple Remote Desktop 3.2.2 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

    For Apple Remote Desktop 3.2.2 Client
    The download file is named: "RemoteDesktopClient.dmg"
    Its SHA-1 digest is: b1a81f17724d9b2f7b6dbffed56bc9a0463d1d7e

    For Apple Remote Desktop 3.2.2 Admin
    The download file is named: "RemoteDesktopAdmin322.dmg"
    Its SHA-1 digest is: d9657c10ed4bc29cfe8cc64e0727ffd4ed8a1425

    Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222