Apple's October update fixes 20 security flaws

With the release of its Apple SA-2008-10-09 security update on Thursday, the Cupertino, Calif.-based computer company provided patches for nearly two dozen software flaws.

Some of the fixes included in the update, which can be obtained from Apple's Software Downloads page, are specific to Apple features, such as Single Sign On, Finder, and ColorSync. But the release also addresses an error introduced in Mac OS X 10.5.5. Other fixes are updates to open-source projects, including Apache, ClamAV, PHP, and Tomcat.

Apache
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. It is an update to version 2.2.9 of Apache, addressing several issues detailed in CVE-2007-6420, CVE-2008-1678, and CVE-2008-2364, the most serious of which may lead to cross-site request forgery.

Certificates
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update adds several trusted certificates.

ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5.5. The update addresses the vulnerabilities detailed within CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, and CVE-2008-3914 by updating Mac OS users to ClamAV version 0.94..

ColorSync
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed in CVE-2008-3642, in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.

CUPS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the insecure file operation vulnerability within CVE-2008-3641, in which a remote attacker may be able to cause arbitrary code execution with the privileges of the "lp" user.

Finder
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses the detail within CVE-2008-3643, in which a maliciously crafted file on the Desktop causes the Finder to unexpectedly terminate when generating its icon. It will also cause Finder to continually terminate and restart. Apple credits Sergio 'shadown' Alvarez of N.runs for reporting the vulnerability.

Launchd
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses a vulnerability detailed within CVE-2008-3613, in which an issue introduced in Mac OS X v10.5.5 may cause an application's request to enter a sandbox to fail. This issue does not affect systems prior to Mac OS X v10.5.5.

Libxslt
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the issue detailed within CVE-2008-1767, in which viewing a maliciously crafted HTML page may trigger a buffer overflow and lead to an unexpected application termination or arbitrary code execution. Apple credits Anthony de Almeida Lopes of Outpost24 and Chris Evans of the Google Security Team with reporting this vulnerability.

MySQLServer
This patch affects users of Mac OS X Server v10.5.5. The update upgrades MySQL to version 5.0.67 to address the vulnerabilities outlined in CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227,CVE-2008-2079, the most serious of which may lead to arbitrary code execution.

Networking
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed within CVE- CVE-2008-3645, in which a heap buffer overflow exists in the local IPC component of Configd's EAPOLController plug-in, which may enable a local user to obtain system privileges. Apple credits itself for finding this vulnerability.

PHP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, and Mac OS X Server v10.5.5. The update upgrades PHP to version 4.4.9 to address the vulnerabilities detailed in CVE-2007-4850, CVE-2008-0674, and CVE-2008-2371, the most serious of which may lead to arbitrary code execution.

Postfix
This patch affects users of Mac OS X v10.5.5. The update addresses the vulnerability detailed within CVE-2008-3646, in which remote attacker may be able to send mail directly to local users. Apple credits Pelle Johansson for reporting this vulnerability.

PSNormalizer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed within CVE-2008-3647, in which viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding this vulnerability.

QuickLook
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed within CVE-2008-4211, in which downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding this vulnerability.

Rlogin
This patch affects only users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability described in CVE-2008-4212, in which systems that have been manually configured to use Rlogin, and Host.equiv may unexpectedly permit root login. Apple credits Ralf Meyer for reporting this vulnerability.

Script Editor
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability described in CVE-2008-4214, in which a local user may gain the privileges of another user of Script Editor.

Single Sign On
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability described in CVE-2008-4214, in which a local user may gain the privileges of another user of Script Editor.

Tomcat
This patch affects only users of Mac OS X Server v10.5.5. The update upgrades Tomcat on Mac OS X v10.5 systems to version 6.0.18 to address the vulnerabilities detailed in CVE- CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, and CVE-2007-5461, the most serious of which may lead to a cross-site scripting attack.

Vim
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses the vulnerabilities detailed in CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, and CVE-2008-3294, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files.

Weblog
This patch affects users of Mac OS X Server v10.4.11. The update addresses a vulnerability described in CVE-2008-4215, in which access control on Weblog postings may not be enforced.

[joetesta70]

LOL - Lots of fixes from Crapple and $teve Job$. I'll buy a PC from a company whose stock isn't tanking thank you very much!

[mikebrown66]

To joetesta70 - please do buy a PC, I'd rather someone like yourself doesn't own a Mac anyways - you'd give us a bad reputation. The only problem with Apple's increase in market share lately is it's increase in market share... those PC lovers (if they can be called such a thing?) are starting to get a little paranoid. Don't worry, there will always be enough fools out there that buy their computers based only on price to keep Windoze going for many years to come.

[Mr. Dee]

This is not the Apple I know! It doesn't matter anyway, Apples bashing has drifted from the amount patches Windows gets to things like compatibility and ease of use.

[joetesta70]

Just like McCain....trying to change the argument. Facts are Crapple has bugs and patches.

[SMB-IL]

Wow, joetesta70, way to turn that argument in your favor! "Facts" are that EVERY OS has bugs and patches, it's just that the bugs and patches on a Mac don't generally destroy the machine.

[quasimodal]

Like Microsoft doesn't have bug fixes (like the 11 security patches just announced). A majority of Apple's fixes are for open source apps.

[KRz9292]

There is a PC company whose stock isn't tanking right now.

joetesta70 please let everyone know which one it is so we can all go out and buy the stock to offset alll the losses in the tech stockmarket .

Maybe Warren Buffet has overlooked that one for now.

[Perry_Clease]

Don't waste your time on the trolls, it is like trying to reason with a 2 year old or a drunk.

[Vegaman_Dan]

All OS's have flaws. I'm glad that Apple is addressing them publically instead of their past history of not saying anything.

Those Apple fanboys who keep insisting that it's a secure system without flaws are becoming quieter with every update release.

Welcome to the world of reality. Every OS has issues. You deal with them and move on.

[Vegaman_Dan]

I'm afraid that Penguinisto disagrees with the notion that every Operating System has flaws and has called me on it. He has accused me of lying stating that OS products have flaws. I have asked him to give evidence of an OS that does not have any flaws.

I will be curious to find this magical OS that is perfect. Perhaps there is something out there that the IT world doesn't know about yet. He could be on to something really big.

Let's give him some support folks. He is going to need it.

[NewsReader_]

This just proves the point that MAC OS has the same type of vulnerabilities as Windows. It has had them all along, even when Apple and its users were touting it as a superior platform in terms of security. It is hard to maintain such claims when you have monthly patches for "arbitrary code execution" on a routine basis.

The biggest difference is that no one targets the vulnerabilities on the Mac.

We have seen in the past year that as Mac adoption has grown, so has the number of patches. If the adoption continues to grow, guess what, it will start to become a more tempting target for hackers. The good news for Apple is that they are shaking bugs out early and rather inconspicuously. This activity proves though that they have security flaws just like every other OS.

[UITD]

Wait a minute. I thought Apple computers werent affected by security issues. I thought they were immune. Geez..... more BS in this world I supposed.

[howyoudoin956]

Gotta love people who think that apple releasing security updates is new. Apple released security updates as far back as 10.3 (can't remember as far back as 10.2). People just love picking on apple fans as much as cubs fans (but I agree picking on cubs fans). Until I start seeing spyware and viruses for the mac I will continue to use that as a advantage regardless of why they don't have any.

[compudoc318]

and hopefully you'll start seeing games, software choice, lower prices, and business uses.....lol.

[Mr. Dee]

@ KRz9292:

'There is a PC company whose stock isn't tanking right now.'
Who is it, because it sure ain't Apple?

[Penguinisto]

Corrections are in order:

* Adding trusted certs does not constitute patching a "security flaw".

* 8 of the listed flaws only affect server-type services (Apache, Tomcat, PHP, ClamAV...) - so when do we start lumping in Windows Server and IIS patches as "Windows flaws" with MSFT's Patch Tuesday?

* One of them requires the user to manually set a service buried deep in the system (Rlogin).

* One of them requires opening a maliciously crafted file by using a command-line tool (vim).

That chops down the number of flaws that would affect the typical Mac user to... eight. Not so sensationalistic anymore, is it?

@Vegaman_Dan: You're lying. Every OS has flaws. Question is, how easy is it to exploit them?

Let's find out: Judging by the eight actually usable vulns left over, three of those absolutely require local privileges - fat chance there if you're looking to build a botnet. Three of them require the user to download and open a maliciously-crafted file - not very likely given that these files in question are pretty oddball and would raise alarms. This leaves two vulns left - both of which require the victim to go to a rigged website... good luck with that, Chief.

Meanwhile, I hear that Windows-based botnets are on the rise again... ;)

/P

[Vegaman_Dan]

Penguinisto wrote:

"@Vegaman_Dan: You're lying. Every OS has flaws. Question is, how easy is it to exploit them?"

Alright, if you want to call me on that and say that I'm lying, then please ist any and all operating systems that are completely flawless. I'll be curious to see your answer. If you are going to make accusations that I'm lying, then you should be able to back it up with evidence. Please do so now. We need either evidence of a perfect operating system... or an apology. I'm afraid you really didn't leave yourself much wiggle room there. It's your honor on the line now. Do you bring forth your evidence, or do you back down and be mature about it? I think the readers don't even have to wait for your answer to know how that will turn out.

So, out of curiousity, how is that new job of yours turning out? You know, the one that you were bragging as the chief CIO of a new startup in data security? Just wondering... I like to keep track of the stories you tell. They are so varied and creative and rarely ever the same twice.

[Penguinisto]

1) Your demand is a non-sequitur. No serious Apple enthusiast has said that OSX (or any OS) is without flaws. How would providing a "ist[sic] of any and all operating systems that are completely flawless" prove a statement (which I wrote right up there for everyone to see) that no OS is without flaws?

2) "chief CIO"? No. Systems Architect, yes. In response to your question, we start production soon, and the contract may become permanent; I'm doing very well there, thanks much.

3) Are you okay? Dude - you may want to lie down and stay off the web for awhile.

/P

[compudoc318]

total b.s. apple fan boys talk about thier bullet proof systems all day.........all i hear is that osx is so much better since its secure, but thats only due to market saturation, if apple was successful like microsoft, hackers would tear it to shreds just like they tear up windows.

[Vegaman_Dan]

1) There you go folks. I gave him the opportunity to back up his accusations or to apologize. I wanted to give him every opportunity to make good on his claims or back out gracefully. Instead he changed the subject. Chalk that up for typical Penguinisto behavior. At least he's consistent.

2) Not the CIO? Glad to hear that the company has a future for it. Good luck in that. Seriously. As much as we disagree on many things, I don't want you to be out of work or sufer personally. At the end of the day, I know that nothing here online is serious or important.

3) Thanks for the advice. I mostly post here to correct your comments as they are often flagrantly inaccurate, inflammatory, or simply hateful/bigoted. I ma not afraid to say that the Penguinsito has no clothes.

[Penguinisto]

@ Dan: You poor creature... any literate person reading this knows that you've blown it, big-time. Just apologize gracefully while you still have some credibility left, 'k?

@ "compudoc318": Concerning: "total b.s. apple fan boys talk about thier bullet proof systems all day"

Considering that there has yet to be any real malware released for OSX, it is easy to see why that assumption can be made. So far, OSX has been bullet-proof (notice the difference between the phrases "without security flaws" and "bullet-proof"). Here's the rub: bullet-proof vests can be eventually penetrated with a big enough bullet - problem is, the script kiddies have yet to come up with one.

[KRz9292]

Mr Dee, since the stock markets today are down at 5 year lows it would seem most companies stocks are in the tank. Perhaps you hadn't noticed that.

Your first post would imply that you are buying a PC from a company whose stock isn't tanking.

So please tell us all what PC company's stocks aren't tanking now so we can all go out and buy the stock and a PC from it to keep it's stock soaring. Or don't you know of such a company?

[goodspeed8701]

apple only said 20 patches and they did not include the 30 more patches as its a big secret that their customers will never know about. i was using vista without anti virus and i decide to install norton after everything is done i scaned and no virus was found only that my cookies was enabled. vista is realy great. despite all the warez sites i go to and no virus was in.

know that in the exploit contest the mac was the first to go down. wapple fanboys take note.

[AppleSuxLeo]

AAPL has lost well over 60% of it`s market cap in a month. MSFT market cap is in much better shape. Apple , which is a boutique seller of overpriced items , much like "Sharper Image" do esp. bad in a recession. Market Cap is what matters...and AAPL is getting hammered !
Apple=Sharper Image 1987 is here again for Crapple.

[anilsudh]

ABE CHUTHIA, MADHARCHOD, BENCHOD, MSFT TERE GAAND MEIN DAALU KYA. LUND FAKIR.

[ferretboy88]

If every person had an Iphone, ipod and macbook we would all be at the coffee shop looking like complete clones. Might as well go out and buy a black turtle neck.

[AppleSuxLeo]

And some faded jeans and tennis shoes.

[3rdalbum]

It's great that Apple are still fixing small implementation issues with their operating system, but when are they going to start actually taking security seriously by fixing the massive design flaws that have been there since the early days? Remember, it was only two months ago that Apple patched a "day-dot" root exploit that they were first notified about four years ago, and that can be performed by an ordinary person with a single terminal command.