Apple patches 25 flaws with latest update

On Monday, Apple released Mac OS X 10.5.4. In addition to enhancements to existing features, Apple bundled in 13 specific security updates, including one for Safari 3.1.2. The security update APPLE-SA-2008-004 and Mac OS X 10.5.4 can be downloaded and installed from Apple Downloads.

Alias Manager
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses an alias manager vulnerability described in CVE-2008-2308. According to Apple, a "memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier."

CoreTypes
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a potentially unsafe content types vulnerability described in CVE-2008-2309. Apple says, "This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a Web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature." Apple credits Brian Mastenbrook for reporting this issue.

c++filt
This patch affects users of Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a c++filt vulnerability described in CVE-2008-2310. Apple says that a "format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings."

Dock
This patch only affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a screen lock bypass vulnerability described in CVE-2008-2314. "When the system is set to require a password to wake from sleep or screen saver, and Expose hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active," Apple says. Apple credits Andrew Cassell of Marine Spill Response for reporting this issue.

Launch Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a maliciously crafted Web site vulnerability described in CVE-2008-2311. "A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation," Apple says. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted Web site may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files."

Net-SNMP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a SNMPv3 packet vulnerability described in CVE-2008-0960. Apple says an "issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses Ruby script vulnerabilities described in CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, and CVE-2008-2726. Apple says that "multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The WEBRick vulnerability described in CVE-2008-1145. Apple says that "the :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names." The directory traversal issue associated with this vulnerability does not affect Mac OS X.

SMB File Server
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the heap buffer overflow vulnerability described in CVE-2008-1105. Apple says that "sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.

System Configuration
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the User Template directory vulnerability described in CVE-2008-2313. Apple says "a local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later." Apple credits Andrew Mortensen of the University of Michigan for reporting this issue.

Tomcat
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses Tomcat 4.1.36 vulnerabilities described in CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, and CVE-2007-5461. Apple says "Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Tomcat version 6.x is bundled with Mac OS X v10.5 systems.

VPN
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a divide by zero vulnerability described in CVE-2007-6276. Apple says that "processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5."

WebKit
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses the memory corruption vulnerability described in CVE-2008-2307. Apple says "visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP/Vista, this issue is addressed in Safari v3.1.2 for those systems. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution." Apple credits James Urquhart for reporting this issue.

[richto]

Looks like this Swiss cheese of an OS is finally having increasing numbers of band aids applied.

[M C]

LOL @ above comment - shoulda took the comp sci courses, dude. (For example: note that some of the patches aren't even to Apple-created items.)

Standard CNet headline - maybe CBS can get you back to journalism and off of click-baiting.

[Kwasiowusu]

Large numbers of security holes in the Mac OS X?
Oh no!
Surely that can't be?
My eyes must be decieving me!
Surely, its only that darned "Windoze" that has security holes.
(that is according to the Apple crazies anyways)
Apple's OS X is of course "bullet proof"

[The_Decider]

Most of these are third party apps and nothing to do with the OS. It is not like I expect anyone from CNET to have basic technical knowledge, that is simply too outrageous. It is still infinitely more secure than Windows despite the ignorant claims of MS fanboys. Get back to me when a 12 year old who couldn't tell you what a stack is much less how to 'smash the stack' successfully exploit OSX or Linux. They do it every day in Windows.

[trevorbsmith]

You reference Safari 3.2.1 at the top of this article, but the actual tech notes say Safari is updated to 3.1.2 (and indeed, after the update was applied, Safari sits at 3.1.2 on my system). Might that be a typo?

[pcoogan]

A "new version" wow, you have got to love Apples marketing team. That makes me feel so much better now, that I didn?t buy a PC. PC users have to download bundles of patches every month. Where as I get a whole new version, for free. Which is nothing like a bundle of patches, right?

[jamalystic]

Glad to learn that Apple is doing these security patches. I read the following scathing attack from a security expert about Apple's percieve arrogance when it comes to secuirty issues. May be these security patches will answer hos questions: Apple's Arrogant Attitude About Security ( http://www.internetevolution.com/author.asp?section_id=515&doc_id=142628&F_src=flftwo)

[ittesi259]

Learn a little bit about numbering conventions used in most software projects and you'd know this isn't being billed as a new version of the software.

[someguy999]

I'm sorry, I don't know what everyone's talking about... Apple is built on linux and as we all know linux has no security threats, the author must be mistaken.

[Thomas, David]

Oh my. This was simply proactive updates, as well as changes for the operating system. Starting a religious war is non-productive, and illustrates an extremely narrow-minded thought pattern.

For those pointing to Apple updates as proof the operating system if flawed, that is backwards thinking. To me, and every real professional, it's proof they fix things before moving on and trying to sell something else. However, the most important fact, they fix things before their customers are harmed.

Bottom-line, it's just another update.

[cannabisindica]

Good for Apple - Now will you PLEASE get an update that stops my new 15" MBP crashing twice a day!