system affected : French, German, Italian and Spanish MacOS X 10.0.x updated
to 10.1

vulnerability : '/Users/<admin-login>/Desktop' has improper drwxrwxrwx
permission

Hi,

the problem is know well known and explanation can be found here :

    http://securityfocus.org/cgi-bin/archive.pl?id=1&mid=195040
    http://securityfocus.org/cgi-bin/archive.pl?id=1&mid=195039

Apple has corrected the problem in 10.1, but, in order to install the 10.1
update you must have 10.0.x properly installed.
If a '/Users/<login>/Desktop' directory is vulnerable on a 10.0.x it will
not be corrected by the 10.1 update. Only users created after 10.1 update
will have a secure '/Users/<login>/Desktop'.
So even if you install from scratch (fresh partition, installation of 10.0.x
and then installation of 10.1 update) the original user account (the admin
account) will be vulnerable.

It's possible (*not tested*) that installing 10.1 update on 10.0.x without
booting on 10.0.x at the end of the first installation (i.e by using an OS9
as preferred booting partition) prevent 10.0.x to create the vulnerable
Desktop folder, and then let 10.1 creating a secure Desktop.

solution : choose english as preferred language for 10.0.x installation or
chmod the admin ~/Desktop.

patpro

-- 
 ()    Campagne du ruban ascii...
 /\    Contre les mails en html, les vcards et les blaireaux

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]