Apple released a hefty security update for the Mac OS X and OS X Server on Wednesday that fixes more than 40 vulnerabilities, a number of which could be exploited to enable someone to run programs on the machine remotely or lead to the disclosure of sensitive data.
The software fixes vulnerabilities that could have led to arbitrary code execution and/or unexpected application termination related implemntaton of: AFP Server, AppKit, Apple Pixlet Video, ATS, CoreFoundation, CoreGraphics, Flash Player Plug-in, Help Viewer, and iCal. The iCal vulnerability was discovered by Core Security, which last week announced it had found three vulnerabilities in iCal.
It also fixes vulnerabilities that could have led to disclosure of sensitive information related to implementation of technologies including CUPS, International Components for Unicode, and CFNetwork when visiting a maliciously crafted Web site due to an issue in Safari's SSL client certificate handling.
Meanwhile, other updates fix vulnerabilities that could lead to information disclosure and allow a local user to manipulate files with the privileges of another user in Mail; allow a remote attacker to read arbitrary files related to Ruby; expose passwords supplied to sso_util to other local users when using Single Sign-On; expose user names on servers with Wiki Server enabled to a remote attacker; and not warn users before opening certain potentially unsafe content types.
In addition, the software fixes a vulnerability that could lead to information disclosure when viewing a maliciously crafted BMP or GIF image and lead to unexpected application termination or arbitrary code execution when viewing a maliciously crafted JPEG2000 image file.
Security Update 2008-003 and Mac OS X v 10.5.3 are available from Apple's Software Downloads Web site.