Mac OS 10.5.5 packs fixes for slew of security flaws

With the release of Mac OS X 10.5.5 on Monday, the Cupertino, Calif., computer company provided patches for almost three dozen software flaws. Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects including Bind, ClamAV, OpenSSH, and Ruby.

Version 10.5.5 can be obtained from the Apple Software Downloads page.

ATS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.

BIND
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update upgrades users to BIND version 9.4.2-P2, which addresses performance issues associated with BIND version 9.4.2-P1.

ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.

Directory Services
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the log-in screen may be able to list user names. Apple says an information disclosure issue exists in Log-in Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed."

Directory Services II
This patch affects users of Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4. The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.

Finder
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the details within CVE-2008-2331 in which The Get Info window may not display the actual privileges for a file. Apple says "Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the file system Sharing & Permissions will take effect, but will not be displayed. This issue does not affect systems prior to Mac OS X v10.5." Apple credits Michel Colman for reporting the vulnerability.

Finder II
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4, specifically those running Mac OS X v10.5.2, MacBook Air running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4. The update addresses a vulnerability detailed within CVE-2008-3613, in which an attacker with access to the local network may cause a denial of service. Apple credits Yuxuan Wang of Sogou for reporting the vulnerability.

ImageIO
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue detailed within CVE-2008-2327, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple says multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images.

ImageIO II
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue detailed within CVE-2008-2332, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple says there's a memory corruption issue that exits in ImageIO's handling of TIFF images. Apple credits Robert Swiecki of Google Security Team for reporting this vulnerability.

ImageIO III
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE- CVE-2008-3608, in which viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. Apple says there's a memory corruption issue that exists in ImageIO's handling of embedded ICC profiles in JPEG images.

ImageIO IV
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-1382 in which libpng in ImageIO is updated to version 1.2.29. Apple adds that CVE-2008-1382 is not known to affect the use of libpng in ImageIO, so this update is applied as a precautionary measure.

Kernel
This patch affects users of Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-3609 in which files may be accessed by a local user who does not have the proper permissions. Apple says cached credentials are not always flushed when a vnode is recycled. Apple credits Nevin ":-)" Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas Tempelmann, and Ram Kolli for reporting this vulnerability.

Libresolv
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-1447, in which libresolv is susceptible to DNS cache poisoning and may return forged information. Apple explains that libresolv provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. Apple credits Dan Kaminsky of IOActive for reporting this vulnerability.

Login Window I
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-3610, in which a user may log in without providing a password. Apple explains that a race condition exists in Login Window. To trigger this issue, the system must have the guest account enabled or another account with no password. This issue does not affect systems prior to Mac OS X v10.5.

Login Window II
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the vulnerability described in CVE-2008-3611 in which person with access to the login screen may be able to change a user's password. Apple says that when a system has been configured to enforce policies on log-in passwords, users may be required to change their password in the log-in screen. If a password change fails, an error message is displayed, but the current password is not cleared and this may not be obvious to the user. Apple credits Christopher A. Grande of Middlesex Community College for reporting this vulnerability.

mDNSResponder
This patch affects users running Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses a buffer overflow vulnerability described in CVE-2008-1447 in which mDNSResponder is susceptible to DNS cache poisoning and may return forged information. Apple credits Dan Kaminsky of IOActive for reporting this vulnerability.

OpenSSH
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses multiple vulnerabilities in OpenSSH described in CVE-2008-1483 and CVE-2008-1657, the most serious of which is local X11 session control.

QuickDraw Manager
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the integer overflow vulnerability described in CVE-2008-3614, in which opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses a vulnerability described in CVE-2008-2376 in which running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution. Apple says there's an integer overflow in rb_ary_fill(), which implements the Ruby Array#fill method.

SearchKit
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses a vulnerability described in CVE-2008-3616 in which applications passing untrusted input to the SearchKit API may lead to an unexpected application termination or arbitrary code execution. Apple explains that an integer overflow issues exist in functions within the SearchKit framework.

System Configuration I
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the vulnerability described in CVE-2008-2312, in which a local user may obtain the PPP password. Apple says Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. Apple credits Hernan Ochoa of Core Security Technologies, Tore Halset of pvv.org, and Matt Johnston of the University Computer Club for reporting this vulnerability.

System Preferences I
This patch affects users of Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability described in CVE-2008-3617, in which users may be misled into believing their passwords are stronger than they are. Apple says "Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password. This update addresses the issue by limiting VNC viewer passwords to eight characters in the user interface." Apple credits Michal Fresel of hi competence e.U. for reporting this vulnerability.

System Preferences II
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the vulnerability described in CVE-2008-3618 in which authenticated users may have unexpected remote access to files and directories.

Time Machine
This patch affects users of Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability described in CVE-2008-3619 in which backing up a system with Time Machine may lead to the disclosure of sensitive information. Apple says that during a Time Machine Backup, several log files are saved to the backup drive with read permission allowed to other users and may lead to the disclosure of sensitive information.

VideoConference
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses vulnerability described in CVE-2008-3621, in which videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution. Apple says a memory corruption issue exists in the VideoConference framework's handling of H.264 encoded media.

Wiki Server
This patch affects users of Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses a divide by zero vulnerability described in CVE-2008-3622, in which a remote attacker may cause persistent JavaScript injection on a Wiki server. Apple says "the Wiki Server mailing list archive will execute JavaScript code embedded in messages. A remote person may send an email containing JavaScript code to a mailing list hosted on a Wiki server. Viewing the message from the Wiki Server mailing list archive will trigger the execution of the embedded JavaScript code on the system of the person viewing the message."

[AndrewRich]

How about Mail.app randomly reloading hundreds of RSS feeds with month-old articles? How about Safari randomly throwing an undeleteable database in the Trash that won't go away until you kill Safari? How about mysterious crashes and failures when syncing Bluetooth headphones?

[AppleSuxLeo]

Apple sure writes buggy software ! How will Mr Whipple spin this ?
I`m not surprised...UNIX was developed in 1969.

[Vegaman_Dan]

The patches appear to be related to security flaws in the OS. The issues you have addressed are more about feature / application support and not likely to be covered by any updates until the actual core product is updated.

[ewelch]

If this is an update for 10.5, why are you listing the 10.4 patches? Trying to make OS X look less secure?

Let's see the same level of detail for the list for Vista next time and XP Pro too. Together. Not separate.

[eferron]

10.5 still has security flaws, that have not been patched, and several more waiting to be discovered. It is not about making 10.5 look unsecure, it is about making sure you are protectiing your assets, by understanding the difference between good marketing, and real security. The fact you and millions of other users have not been compromised does not mean you are secure. I run both Vista and OSX and I neither machine has been compromised, but I don't pretend I am not vulnerable, and neither should you.

[joetesta70]

OSX = Unsecure crap.

[ckurowic]

Okay, boss. What do you use? Windows? Get a life M$ fanboy

[Dalkorian]

If OSX = Unsecure crap, winBLOWS is more worthless than the garbage you threw out this morning.

[jandler]

what's up ISheep? can't take a little criticism when your precious little one is under some kind of attack? Welcome to the big leagues juniors. Can't take a punch? Don't throw a jab.

[08Rabbit]

well said Jandler

[NewsReader_]

This is pretty bad. PPP Passwords stored in clear text? Race conditions on the login screen? Exposing server passwords? Exposing a list of all local users?

And they have the nerve to call this a "secure" OS. Pretty soon, Apple is going to run out of sugar for that Kool-Aid everyone has been drinking.

[protagonistic]

Mac envy can be a terrible affliction. :-) I have far fewer security problems on my Mac than I ever did running Windows.

[eferron]

Why do you need a security suite for OSX? Because I do not want to put all my eggs in one basket and wait for Apple to be my only line of defense. There is nothing magic about the developers and testers at Apple. Many of them worked at HP, Microsoft, and other companies. They are just people not magicians, and the can write code with security flaws, and major bugs. I would love to have more than one set of eyes helping me to protect against vulnerabilities on my computer. After the iPhone and the OSX stuff Apple is getting the attention that comes along with success, much in the same way Winodws and Office did when they exploded into the corporate and consumer world. You can't do it alone, and no amount of fanfare and turning a deaf ear is going to make your product any more secure.

Apple and partners get with the program and start creating some mainstream security suites to protect consumers.

Ed

[TrioBrothers]

Hehehe... Even Mac has their flaws. Good luck to those people who thinks Mac is always the best.

I only could believe my ears when one related Mac to visually good graphics, but nothing more than that. Its more for style. Windows have the most problems, but the most fun in solving them too yourself. Got to live up with that; there's a saying even medicines are drugs, and they heal and create new health issues too.

Accept it. No one's perfect.