goo blog サービス終了のお知らせ 

Masaca's Blog 2

独り言・日記・愚痴・戯言・備忘録・・・。なんとでもお呼び下され(笑)。

デジタルカメラ RAW互換性アップデート 2.2

2008-09-17 06:29:58 | Apple
デジタルカメラ RAW互換性アップデート 2.2がソフトウェア・アップデート経由で出ています。
デジタルカメラ RAW互換性アップデート 2.2 4.1 MB
このアップデートは、Aperture 2 および iPhoto ’08 の RAW ファイル互換性を拡張し、以下のカメラに対応します:

Canon EOS Digital Rebel XS/Kiss Digital F/1000D
Kodak DCS Pro SLR/n
Nikon D700
Olympus EVOLT E-420
Olympus EVOLT E-520
Olympus SP-570
Samsung GX-10
Samsung GX-20
Sony DSLR-A300
Sony DSC-R1


Mac OS X アップデート 10.5.5

2008-09-16 06:33:38 | Apple
Mac OS X アップデート 10.5.5がソフトウェア・アップデート経由で出ています。
Mac OS X アップデート 10.5.5 136 MB
10.5.5 アップデートは、Mac OS X Leopard を使用しているすべてのユーザにお勧めします。お使いの Mac の安定性、互換性、およびセキュリティを向上させるオペレーティングシステムの全般的な修正が含まれています。

このアップデートについて詳しくは、次の Web サイトを参照してください:http://support.apple.com/kb/HT2405?viewlocale=ja_JP.
セキュリティアップデートについて詳しくは、次の Web サイトを参照してください:http://support.apple.com/kb/HT1222?viewlocale=ja_JP.
以下、Apple Product Securityからのメールを項目のみ引用。
APPLE-SA-2008-09-15 Mac OS X v10.5.5 and Security Update 2008-006

Mac OS X v10.5.5 and Security Update 2008-006 are now available and address the following issues:

ATS
CVE-ID: CVE-2008-2305
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a document containing a maliciously crafted font may lead to arbitrary code execution

BIND
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: BIND is updated to address performance issues

ClamAV
CVE-ID: CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215
Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4
Impact: Multiple vulnerabilities in ClamAV 0.92.1

Directory Services
CVE-ID: CVE-2008-2329
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: A person with access to the login screen may be able to list user names

Directory Services
CVE-ID: CVE-2008-2330
Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4
Impact: A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig

Finder
CVE-ID: CVE-2008-2331
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: The Get Info window may not display the actual privileges for a file

Finder
CVE-ID: CVE-2008-3613
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: An attacker with access to the local network may cause a denial of service

ImageIO
CVE-ID: CVE-2008-2327
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

ImageIO
CVE-ID: CVE-2008-2332
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

ImageIO
CVE-ID: CVE-2008-3608
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution

ImageIO
CVE-ID: CVE-2008-1382
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: libpng in ImageIO is updated to version 1.2.29

Kernel
CVE-ID: CVE-2008-3609
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Files may be accessed by a local user who does not have the proper permissions

libresolv
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: libresolv is susceptible to DNS cache poisoning and may return forged information

Login Window
CVE-ID: CVE-2008-3610
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: A user may log in without providing a password

Login Window
CVE-ID: CVE-2008-3611
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A person with access to the login screen may be able to change a user's password

mDNSResponder
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information

OpenSSH
CVE-ID: CVE-2008-1483, CVE-2008-1657
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is local X11 session control

QuickDraw Manager
CVE-ID: CVE-2008-3614
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Ruby
CVE-ID: CVE-2008-2376
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution

SearchKit
CVE-ID: CVE-2008-3616
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Applications passing untrusted input to the SearchKit API may lead to an unexpected application termination or arbitrary code execution

System Configuration
CVE-ID: CVE-2008-2312
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may obtain the PPP password

System Preferences
CVE-ID: CVE-2008-3617
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Users may be misled into believing their passwords are stronger than they are

System Preferences
CVE-ID: CVE-2008-3618
Available for: Mac OS X v10.5 through v10.5.4
Impact: Authenticated users may have unexpected remote access to files and directories

Time Machine
CVE-ID: CVE-2008-3619
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Backing up a system with Time Machine may lead to the disclosure of sensitive information

VideoConference
CVE-ID: CVE-2008-3621
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution

Wiki Server
CVE-ID: CVE-2008-3622
Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: A remote attacker may cause persistent JavaScript injection on a Wiki server

Mac OS X v10.5.5 and Security Update 2008-006 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.5.5 or Security Update 2008-006.

For Mac OS X v10.5.4
The download file is named: "MacOSXUpd10.5.5.dmg"
Its SHA-1 digest is: bd9bf9304a5b3162f391233fe74fc64f6dbc2bf5

For Mac OS X v10.5 - v10.5.3
The download file is named: "MacOSXUpdCombo10.5.5.dmg"
Its SHA-1 digest is: 91ac9b720ba3b4166e5dc1dd518b1651d77c0f46

For Mac OS X Server v10.5.4
The download file is named: "MacOSXServerUpd10.5.5.dmg"
Its SHA-1 digest is: 00264fd6990b568b5017f1244820d1eeebda8ab2

For Mac OS X Server v10.5 - v10.5.3
The download file is named: "MacOSXServerUpdCombo10.5.5.dmg"
Its SHA-1 digest is: cc463a4f2b2d2079fca56704057f407f86b96661

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-006Intel.dmg"
Its SHA-1 digest is: c64a7aa8b13377b2066110fa86b4f879e0ca746b

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-006PPC.dmg"
Its SHA-1 digest is: 61898bf315d04958aaf487bb92ba257d059a33ce

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-006Univ.dmg"
Its SHA-1 digest is: 0309967cb7e6ae990bd3726e8af4abfeca776b63

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-006PPC.dmg"
Its SHA-1 digest is: 61898bf315d04958aaf487bb92ba257d059a33ce

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

Front Row アップデート 2.1.6

2008-09-11 07:04:03 | Apple
Front Row アップデート2.1.6がソフトウェア・アップデート経由で出ています。
Front Row アップデート 2.1.6 13.1 MB
この Front Row アップデートでは、iTunes 8.0 との互換性が向上され、複数の問題が修正されています。


iPod touch v2.1

2008-09-10 06:36:37 | Apple
iPod touch v2.1が利用可能になっています。本アップデートはソフトウェア・アップデート経由では行われません。iTunesを通してのみ行われます。iTunesは週に一度、アップデートをチェックしており、アップデートを検出するとダウンロードを行います。次回、iPod touchが接続されたときにアップデートを適用します。手動でアップデートを行うには、iTuneから「アップデートをチェック」ボタンをクリックして下さい。その後でiPod touchをドックに接続するとアップデートが行われます。
以下、Apple Product Securityからのメールを引用。
APPLE-SA-2008-09-09 iPod touch v2.1

iPod touch v2.1 is now available and addresses the following issues:

Application Sandbox
CVE-ID: CVE-2008-3631
Available for: iPod touch v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPod touch versions prior to v2.0.

CoreGraphics
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808
Available for: iPod touch v1.1 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/

mDNSResponder
CVE-ID: CVE-2008-1447
Available for: iPod touch v1.1 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.

Networking
CVE-ID: CVE-2008-3612
Available for: iPod touch v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPod touch versions prior to v2.0.

WebKit
CVE-ID: CVE-2008-3632
Available for: iPod touch v1.1 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.

Installation note:

This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "don't install" will present the option the next time you connect your iPod touch.

The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPod touch is docked to your computer.

To check that the iPod touch has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "2.1 (5F135)" or later

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

Bonjour for Windows 1.0.5

2008-09-10 06:34:26 | Apple
Bonjour for Windows 1.0.5が出ているそうです。尚、本アップデートはiTunes 8.0 for Windowsに含まれているそうです。
以下、Apple Product Securityからのメールを引用。
APPLE-SA-2009-09-09 Bonjour for Windows 1.0.5

Bonjour for Windows 1.0.5 is now available and addresses the following issues:

mDNSResponder
CVE-ID: CVE-2008-2326
Available for: Windows Vista, XP SP2 and SP3, 2003, 2000
Impact: Resolving a maliciously crafted ".local" domain name may cause an unexpected application termination
Description: A null pointer dereference issue exists in the Bonjour Namespace Provider. Resolving a maliciously crafted ".local" domain name containing a long DNS label may cause an unexpected application termination. This update addresses the issue by performing additional validation of DNS labels. This issue does not affect systems running Mac OS X. Credit to Mario Ballano of 48bits.com for reporting this issue.

mDNSResponder
CVE-ID: CVE-2008-3630
Available for: Windows Vista, XP SP2 and SP3, 2003, 2000
Impact: mDNSResponder may return forged information for unicast DNS queries
Description: Bonjour for Windows provides Zero Configuration Networking, Multicast DNS, and Network Service Discovery for Windows users. It's also possible to use the Bonjour API to issue conventional unicast DNS queries. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses. As a result, if there are applications that use Bonjour for Windows for unicast DNS, those applications may receive forged information. However, there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against spoofing attacks. This change does not affect Multicast DNS resolution.

Bonjour for Windows 1.0.5 is included in iTunes 8.0.

Bonjour for Windows 1.0.5 may be obtained from
Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: "BonjourSetup.exe"
Its SHA-1 digest is: 681e3505bb9d7780c200e5a5eba43e8ba7062c05

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

iTunes 8.0

2008-09-10 06:28:53 | Apple
iTunes 8.0がソフトウェア・アップデート経由で出ています。
iTunes 8.0 58.4 MB
iTunes 8 には、ライブラリの中から同じテイストの曲を自動的に選択してプレイリストを作成する Genius 機能が含まれています。また、Genius 機能の一部である Genius サイドバーでは、iTunes Store の中からまだお持ちでない曲をお勧めします。

iTunes 8 を使って、新しいグリッド表示でアーティストとアルバムをブラウズしましょう。iTunes Store からお気に入りのテレビ番組を HD 品質でダウンロードしましょう。メディアを iPod nano(第四世代)、iPod classic(120 GB)、および iPod touch(第二世代)と同期しましょう。そして、魅力あふれる新しいミュージックビジュアライザを楽しみましょう。

iTunes 8 および iTunes U は、お使いの Mac 上で VoiceOver を使ってアクセスできるようになりました。

このアップデートのセキュリティに関する内容について詳しくは、次の Web サイトにアクセスしてください:http://support.apple.com/kb/HT1222?viewlocale=ja_JP
以下、Apple Product Securityからのメールを引用。
APPLE-SA-2009-09-09 iTunes 8.0

iTunes 8.0 is now available and addresses the following issues:

iTunes
CVE-ID: CVE-2008-3634
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Firewall warning dialog in iTunes is misleading
Description: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn't affect the firewall's security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to remote entities. This update addresses the issue by refining the text in the warning dialog. This issue does not affect systems running Mac OS X v10.5 or later. Credit info to Eric Hall of DarkArt Consulting Services, Inc. for reporting this issue.

iTunes
CVE-ID: CVE-2008-3636
Available for: Windows XP or Vista
Impact: A local user may gain system privileges
Description: A third-party driver provided with iTunes may trigger an integer overflow, and could allow a local user to obtain system privileges. Credit to Ruben Santamarta of Wintercore for reporting this issue.

iTunes 8.0 may be obtained from: http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named: "iTunes8.dmg"
Its SHA-1 digest is: af54727e4b2e0e6bb0c367b34ae5075f36096aef

For Windows XP / Vista:
The download file is named: "iTunes8Setup.exe"
Its SHA-1 digest is: 5d4ff8ffbe9feeaed67deb317797c1d71a03c359

For Windows XP / Vista 64 Bit:
The download file is named: "iTunes864Setup.exe"
Its SHA-1 digest is: 86df5d9899a8dad82b893309dc18672e3d2cccd0

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222


QuickTime 7.5.5

2008-09-10 06:21:35 | Apple
QuickTime 7.5.5がソフトウェア・アップデート経由で出ています。
QuickTime 7.5.5 67.5 MB
QuickTime 7.5.5 では、信頼性の改善、アプリケーションの互換性の向上、およびセキュリティの改善を実現する変更が加えられています。

すべての QuickTime 7 ユーザの方にこのリリースを推奨します。

このアップデートのセキュリティ関連の内容について詳しくは、次の Web サイトを参照してください:http://www.info.apple.com/kbnum/n61798-ja
以下、Apple Product Securityからのメールを引用。
APPLE-SA-2008-09-09 QuickTime 7.5.5

QuickTime 7.5.5 is now available and addresses the following issues:

QuickTime
CVE-ID: CVE-2008-3615
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to Paul Byrne of NGSSoftware for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3635
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3624
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3625
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3614
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3626
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of STSZ atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3627
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption exist in QuickTime's handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of H.264 encoded movie files. Credit to an anonymous researcher and Subreption LLC working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3628
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An invalid pointer issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by correctly saving and restoring a global variable. This issue does not affect systems running Mac OS X. Credit to David Wharton for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3629
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination
Description: An out-of-bounds read issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. This update addresses the issue by performing additional validation of PICT images. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

QuickTime 7.5.5 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/

For Mac OS X v10.5 or later
The download file is named: "QuickTime755_Leopard.dmg"
Its SHA-1 digest is: 934f784a553c2d4484d298071ad6d95ea34b8b2f

For Mac OS X v10.4.9 through Mac OS X v10.4.11
The download file is named: "QuickTime755_Tiger.dmg"
Its SHA-1 digest is: dcdf58e27aad2a1e958788c0f58584605c4b8e78

For Windows Vista / XP SP2 and SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 5900ff0b8044972cb06b52dfc913c6364bf27ccc

QuickTime with iTunes for Windows XP or Vista
The download file is named: iTunes8Setup.exe
Its SHA-1 digest is: 5d4ff8ffbe9feeaed67deb317797c1d71a03c359

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222


Let's Rock!

2008-09-10 03:40:08 | Apple
なぜか目が覚めてしまったので、EngadgetとGizmodoのリアルタイム更新を見ております
やはりウワサ通り、iTunes 8と4G iPod nano、そして2G iPod touchが出たようです

iTunes 8の新機能は「Genius」。曰く「1クリックで好みとライブラリにあわせたプレイリストを作成してくれる機能」だそうです。Play listの情報がサーバにアップされるとかしないとかで解析されちゃうとかしないとか…

4G iPod nanoは、事前リーク通りの縦長フォルム。iPhoneスタイルに合わせて端へ行くほど薄くなる局面デザインなので、自ずと断面は楕円形。で、史上最薄だそうな。ディスプレイは縦長だけど、iPhoneやiPod touch同様に加速度センサーを搭載したので、横にすれば横表示!もちろん、横表示時のCoverFlowも搭載。新機能のGenius Play Listも搭載。カレンダーにストップウォッチに、マイク接続でボイスレコーダー!で、嘘か本当か、振るとシャッフル。バッテリー駆動時間は音楽で24時間、ビデオで4時間。カラーは7色9色(オンラインストアで確認)で容量は8 GB、$149と16 GB、$199。

2G iPod touchも同じくiPhoneスタイルを踏襲した背部局面デザイン。ボリュームボタンとスピーカーを新たに搭載。もちろんGenius Play Listも同じく搭載。で、今までiPod nano専用だったNike+がビルトイン。レシーバーを内蔵しているので、ドックに付ける必要なし。その他のスペックは1Gと同じ。残念ながら64 GB版とかカメラ内蔵とかGPS内蔵といった期待されていたような大幅機能アップはなし。個人的には「2G」というよりはマイナーアップデートといった感覚。容量は従来通り8 GB、$229に16 GB、$299、そして32 GBが$399。ソフトウェアはiPhone iPod touch v2.1。1G iPod touchについては2.0の場合は無償。1.xの場合は$9.95で本日利用可能。iPhoneについては無償で金曜日頃には利用可能。

それから、iPod classicは容量増量して120 GB。$249で販売開始。iPod shuffleは新色以外は据置。

あとは新アクセサリーとして、コード途中に小さなマイク付きリモコン搭載のインイヤーヘッドホン。

既に日本のApple Storeオンラインでも取り扱い開始。現時点で4G iPod nanoは8 GBが17,800円で24時間以内出荷。16 GBは23,800円で5~7営業日。iPod touchについては、8 GBが27,800円、16 GBが35,800円、32 GBが47,800円でいずれも2~4週後出荷予定。インイヤーヘッドホンは9,400円で近日発売。iPod classic 120 GBは29,800円。

さて、ポチッとなするのかどうかって?したいんですけど、まずは寝て明日の朝考えます
Apple Store(Japan)
  • アップル、iTunes 8を発表
  • アップル、新しいiPod touchを発表
  • アップル、新しいiPod nanoを発表

    • 9月10日にポチッとなをするのか…

    2008-09-04 08:58:12 | Apple
    どうも大方の予想通り、Appleが9月9日に何らかの発表をするらしいです。

  • 次のアップルイベントは9月9日の「Let's Rock」、日本時間10日午前2時から - Engadget Japanese
  • アップル、9月9日のiPod関連「Special Event」を正式発表:マーケティング - CNET Japan

    こういう情報が流れると、途端にウワサ系サイトがやたらと情報を流し出すわけですが、既にいくつかそれらしいものが流れてきています。

  • 未発表の新iPod nano, 新iPod touch用ケース 続々登場 - Engadget Japanese
  • DiggのKevin Rose:新iPod nanoはこんなデザイン、touchは大幅値下げ - Engadget Japanese
  • 新iPod nano, iPod touchのサイズデータ流出? - Engadget Japanese
  • 最新iPod touch/nanoの設計デザインが流出か?:ニュース - CNET Japan

    ま、真偽の程は9月9日午前10時(日本時間では10日未明)にははっきりするので嘘だの本当だのと議論すること自体無駄なのですが、さて問題は発表当日に待ち望んだ2G iPod touchが出たとして、速攻ポチッとなするのかどうか…。ここまで引っ張って予想通りにiPod touchがモデルチェンジしてくるのであれば、速攻でいってもいいような気がする反面、新モデルにはそれ相当の落とし穴があることもこれまでの事例からは明らかなこと…。ヒトバシラーとして逝ってこい状態になってみてもいいような気もするし、他のヒトバシラーを見てからでも遅くはないような気もするし…。さて、どうしたものか…

    • iPod touchを買うのをためらう今日この頃…

    2008-08-04 12:59:56 | Apple
    Apple Store(Japan)
    もうね、iPhone 3G発売の興奮も大騒ぎも世間的にはおさまって、自分的にも携帯の2ndマシンを買えるほど余裕がないのと、iPod touchで十分じゃないのか?という疑いがあって、iPhone 3Gには全く食指が動かなかった一方で、妙に魅力的に見えてきたiPod touchを何時どうやって買おうかと、何かいい理由はないかと企みつつ、かみさんに「iPhoneはいらないんだけど、iPod touchは欲しいんだよねぇ」などと呟いてみたりして、なんとなく布石を打ってみたような気分になっている今日この頃だったのですが…

    最近はめっきりチェックする暇もなくなって、ご無沙汰状態だったネット上の情報を偶々覗いてみると、「iPhone 2.1ベータに次世代iPod touchのヒント? - Engadget Japanese」みたいな記事が流れていたりして、どっかには64 GB版が用意されている上にGPSまで搭載されているようなことまで書かれていたりするわけで、如何にウワサであろうとも、これは今iPod touchを買うとせっかくの新品を買った楽しみと優越感がまた数週間で踏み倒されてしまうんじゃないかという不安が大きくよぎりまして、一気に購買意欲が削ぎ落とされてございます

    このまま9月までiPod touchがどうしても必要なのかと問われれば、今でもなしで全く生活に困っていないので、必要ではないという答えになってしまうのですが、そこはGadget好きな性分故に、手に入れられるものならば手に入れて使い倒してみたいという欲望は捨てきれないわけです。けど、下手に引きずって長期の海外出張が始まってしまったら、それこそ買うことも出来ないわけで、こりゃまたどうしたものかと悩むわけでございます。いやね、そうなったらそうなったで、出張先は本場なのだから向こうで買えばいいじゃんという話もなきにしもあらずなのも事実です

    さて、どうしたものやら…
    Apple Store(Japan)

    Security Update 2008-005 1.0

    2008-08-01 12:56:10 | Apple
    Security Update 2008-005がソフトウェア・アップデート経由で出ています。
    Security Update 2008-005 1.0 65.1 MB
    すべてのユーザに、Security Update 2008-005 を適用して、Mac OS X のセキュリティを強化することを推奨します。

    このアップデートの詳細については、こちらを参照してください:http://support.apple.com/kb/HT1222?viewlocale=ja_JP
    以下、Apple Product Securityからのメールを引用。
    APPLE-SA-2008-07-31 Security Update 2008-005

    Security Update 2008-005 is now available and addresses the following issues:

    Open Scripting Architecture
    CVE-ID: CVE-2008-2830
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: A local user may execute commands with elevated privileges
    Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue.

    BIND
    CVE-ID: CVE-2008-1447
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: BIND is susceptible to DNS cache poisoning and may return forged information
    Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

    CarbonCore
    CVE-ID: CVE-2008-2320
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Processing long filenames may lead to an unexpected application termination or arbitrary code execution
    Description: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

    CoreGraphics
    CVE-ID: CVE-2008-2321
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
    Description: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue.

    CoreGraphics
    CVE-ID: CVE-2008-2322
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
    Description: An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PDF files. Credit to Pariente Kobi working with the iDefense VCP for reporting this issue.

    Data Detectors Engine
    CVE-ID: CVE-2008-2323
    Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Viewing maliciously crafted messages with Data Detectors may lead to an unexpected application termination
    Description: Data Detectors are used to extract reference information from textual content or archives. A resource consumption issue exists in Data Detectors' handling of textual content. Viewing maliciously crafted content in an application that uses Data Detectors may lead to a denial of service, but not arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.5.

    Disk Utility
    CVE-ID: CVE-2008-2324
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
    Impact: A local user may obtain system privileges
    Description: The "Repair Permissions" tool in Disk Utility makes /usr/bin/emacs setuid. After the Repair Permissions tool has been run, a local user may use emacs to run commands with system privileges. This update addresses the issue by correcting the permissions applied to emacs in the Repair Permissions tool. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Anton Rang and Brian Timares for reporting this issue.

    OpenLDAP
    CVE-ID: CVE-2008-2952
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: A remote attacker may be able to cause an unexpected application termination
    Description: An issue exists in OpenLDAP's ASN.1 BER decoding. Processing a maliciously crafted LDAP message may trigger an assertion and lead to an unexpected application termination of the OpenLDAP daemon, slapd. This update addresses the issue by performing additional validation of LDAP messages.

    OpenSSL
    CVE-ID: CVE-2007-5135
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution
    Description: A range checking issue exists in the SSL_get_shared_ciphers() utility function within OpenSSL. In an application using this function, processing maliciously crafted packets may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

    PHP
    CVE-ID: CVE-2008-2051, CVE-2008-2050, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674
    Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Multiple vulnerabilities in PHP 5.2.5
    Description: PHP is updated to version 5.2.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

    QuickLook
    CVE-ID: CVE-2008-2325
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution
    Description: Multiple memory corruption issues exist in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.

    rsync
    CVE-ID: CVE-2007-6199, CVE-2007-6200
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
    Impact: Files outside the module root may be accessed or overwritten remotely
    Description: Path validation issues exist in rsync's handling of symbolic links when running in daemon mode. Placing symbolic links in an rsync module may allow files outside of the module root to be accessed or overwritten. This update addresses the issue through improved handling of symbolic links. Further information on the patches applied is available via the rsync web site at http://rsync.samba.org/

    Security Update 2008-005 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

    For Mac OS X v10.5.4 and Mac OS X Server 10.5.4
    The download file is named: "SecUpd2008-005.dmg"
    Its SHA-1 digest is: 9c4fd4ee59965819427445f6de172c42b223e6e1

    For Mac OS X v10.4.11 (Intel)
    The download file is named: "SecUpd2008-005Intel.dmg"
    Its SHA-1 digest is: 1ff3242935c98325769b33148a2a8b1e72db567c

    For Mac OS X v10.4.11 (PPC)
    The download file is named: "SecUpd2008-005PPC.dmg"
    Its SHA-1 digest is: 2f56ea4311d5b85de3c494f6fee46360e5b7317e

    For Mac OS X Server v10.4.11 (Universal)
    The download file is named: "SecUpdSrvr2008-005Univ.dmg"
    Its SHA-1 digest is: 256401659308a634cee06b00d1a6ae9dc20b5467

    For Mac OS X Server v10.4.11 (PPC)
    The download file is named: "SecUpdSrvr2008-005PPC.dmg"
    Its SHA-1 digest is: d310d471bd39df92cb5580e18f356a222824d7d2

    Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

    iTunes 7.7.1 アップデート

    2008-07-31 18:41:14 | Apple
    iTunes 7.7.1 アップデートがソフトウェア・アップデート経由で出ています。
    iTunes 7.7.1 48.0 MB
    iTunes 7.7.1 を使って、音楽、ビデオ、その他のデータを iPhone 3G と同期したり、ソフトウェアバージョン 2.0 以降がインストールされた iPhone と iPod touch のために特別にデザインされたアプリケーションを iTunes Store からダウンロードしたりすることができます。また、iPhone や iPod touch 用の新しい Remote アプリケーションを使って、家の中のあらゆる場所から iTunes の再生を制御することができます(App Store から無料でダウンロードできます)。

    iTunes 7.7.1 には、安定性とパフォーマンスを向上するための修正が含まれています。


    iMovieアップデート7.1.4

    2008-07-24 06:39:10 | Apple
    iMovie アップデート 7.1.4がソフトウェア・アップデート経由で出ています。
    iMovie アップデート 7.1.4 39.8 MB
    このアップデートでは、互換性全般に関する問題に対処し、全体的な安定性が向上し、その他の小さな問題にも対処しています。


    iWeb アップデート 2.0.4

    2008-07-24 06:37:35 | Apple
    iWeb アップデート 2.0.4がソフトウェア・アップデート経由で出ています。
    iWeb アップデート 2.0.4 36.3 MB
    このアップデートは、全般的な互換性の問題を解決します。


    iLifeサポート8.3

    2008-07-24 06:36:14 | Apple
    iLife サポート 8.3がソフトウェア・アップデート経由で出ています。
    iLife サポート 8.3 5.5 MB
    iLife サポートは、iLife '08 アプリケーションで共有されるシステム・ソフトウェア・コンポーネントを提供します。 このアップデートは、全体的な安定性を向上させ、その他の小さな問題を修正します。 “iLife '08”のすべてのユーザに、このアップデートを推奨します。

    このアップデートのセキュリティ関連の内容については、次の Web サイトを参照してください: http://docs.info.apple.com/article.html?artnum=61798-ja