Apple has released a patch for Mac OS X to address a Samba exploit announced last week. Samba is the networking technology used in Mac OS X that allows Macs to communicate on Windows networks, and allows a Windows client machine to network with a Mac server.
The exploit could allow someone to gain access to computers running Samba, including several flavors of Linux, Unix, and Mac OS X itself. The exploit was announced last week, along with information on how to patch it. Shortly thereafter, several Linux distributors released patches, but Apple has not followed suit until late yesterday with the new update. The company ignored several requests for information by TMO on when a patch might be released.
Samba is turned off by default in new Mac OS X installations, but Apple is specifically recommending that all Mac OS X users apply the new update. The patch, labeled Security Update 2002-03-24, also fixes a problem with OpenSSL. The notes supplied in Appleis Software Update Control Panel:
Security Update 2002-03-24 addresses a Samba vulnerability which could allow unauthorized remote access to the host system. The built-in Windows file sharing is based on the open source technology called Samba and is off by default in Mac OS X.
OpenSSL is also updated to address an issue in which RSA private keys can be compromised when communicating over LANs, Internet2/Abilene, and interprocess communication on local machine.
It is recommended that all users install this Security Update.
As of this writing, the update is available only through the Software Update Control Panel. Apple usually makes updates such as these available through the Apple Support site shortly after the update is released through the Software Update system. Anyone noting its addition to the Apple Support site is asked to post a note in the comments below.
TMO specifically recommends that you apply this patch ASAP, most especially if you work with any Windows networking.