Apple patches 25 flaws with latest update

On Monday, Apple released Mac OS X 10.5.4. In addition to enhancements to existing features, Apple bundled in 13 specific security updates, including one for Safari 3.1.2. The security update APPLE-SA-2008-004 and Mac OS X 10.5.4 can be downloaded and installed from Apple Downloads.

Alias Manager
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses an alias manager vulnerability described in CVE-2008-2308. According to Apple, a "memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier."

CoreTypes
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a potentially unsafe content types vulnerability described in CVE-2008-2309. Apple says, "This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a Web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature." Apple credits Brian Mastenbrook for reporting this issue.

c++filt
This patch affects users of Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a c++filt vulnerability described in CVE-2008-2310. Apple says that a "format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings."

Dock
This patch only affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a screen lock bypass vulnerability described in CVE-2008-2314. "When the system is set to require a password to wake from sleep or screen saver, and Expose hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active," Apple says. Apple credits Andrew Cassell of Marine Spill Response for reporting this issue.

Launch Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a maliciously crafted Web site vulnerability described in CVE-2008-2311. "A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation," Apple says. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted Web site may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files."

Net-SNMP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a SNMPv3 packet vulnerability described in CVE-2008-0960. Apple says an "issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses Ruby script vulnerabilities described in CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, and CVE-2008-2726. Apple says that "multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The WEBRick vulnerability described in CVE-2008-1145. Apple says that "the :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names." The directory traversal issue associated with this vulnerability does not affect Mac OS X.

SMB File Server
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the heap buffer overflow vulnerability described in CVE-2008-1105. Apple says that "sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.

System Configuration
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the User Template directory vulnerability described in CVE-2008-2313. Apple says "a local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later." Apple credits Andrew Mortensen of the University of Michigan for reporting this issue.

Tomcat
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses Tomcat 4.1.36 vulnerabilities described in CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, and CVE-2007-5461. Apple says "Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Tomcat version 6.x is bundled with Mac OS X v10.5 systems.

VPN
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a divide by zero vulnerability described in CVE-2007-6276. Apple says that "processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5."

WebKit
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses the memory corruption vulnerability described in CVE-2008-2307. Apple says "visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP/Vista, this issue is addressed in Safari v3.1.2 for those systems. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution." Apple credits James Urquhart for reporting this issue.

[richto]

Looks like this Swiss cheese of an OS is finally having increasing numbers of band aids applied.

[The_Decider]

Swiss cheese? Yeah, an OS with zero in the wild exploits after 7 years is swiss cheese. It is news if a day passes and Windows is not exploited by a newly found flaw. Nice try shill.

[M C]

LOL @ above comment - shoulda took the comp sci courses, dude. (For example: note that some of the patches aren't even to Apple-created items.)

Standard CNet headline - maybe CBS can get you back to journalism and off of click-baiting.

[Kwasiowusu]

"Some of the pacthes aren't Apple related" huh? So what?
If only some are "not Apple related", then what of the rest which according to you are "Apple related" then?
Stop making excuses. I don't see you Apple fanatics giving Microsoft that kind of passs when you let rip at the
slightest security hole in Windows.

[Kwasiowusu]

Large numbers of security holes in the Mac OS X?
Oh no!
Surely that can't be?
My eyes must be decieving me!
Surely, its only that darned "Windoze" that has security holes.
(that is according to the Apple crazies anyways)
Apple's OS X is of course "bullet proof" :)

[The_Decider]

Why are MS fans so stupid? Most of these issues are not Apple software and there is a large difference between a flaw and a flaw that can be compromised. Of course you wouldn't know that since MS fans don't have even the most basic understanding of computers or software. For the record no one but you idiots claim that OSX is flawless. Very poor attempt at a red herring.

[Kwasiowusu]

Real question is: Why are th Apple fanatics and Apple crazies so retarded, infantile and moronic? (Its a well proven fact. You can't get more stupid people on the internet than Apple fanatics)
Its irrelevant if some OS X security holes are are "Apple's fault" or not. A similar argument can be made for most security issues with Windows. None of that has stopped you Apple retards from flooding the internet with your brain dead garbage whenever a Windows security issues comes up. Meanwhile, most of these security holes here are directly attributable to Apple. So take your bitter mdeicine and swallow it already.

[The_Decider]

Seriously, you don't know the difference between a flaw in Tomcat and an OS flaw? Are you truly that stupid? Show me an in the wild OSX exploit. Just one.

[Kwasiowusu]

@ "The_Decider", now why don't you read the list of Mac OS X flaws listed above before you strat repeating the same pathetic, poor excuses? These are security holes are in the Mac OS X, and its Apple that has had to release to the tune of 25 secity fixes. Perios!
No amount of exxcuses is going to change that.

[ittesi259]

Flaws in Tomcat and Safari and in other applications don't qualify as OS flaws, and this is poorly written article that implies otherwise. As for people calling all Apple users arrogants and stupid (they said fanboys, but since I switched to a mac last year I must be a fanboy I guess), I really don't give a damn what you use, get off my back about my computing choices.

[The_Decider]

Most of these are third party apps and nothing to do with the OS. It is not like I expect anyone from CNET to have basic technical knowledge, that is simply too outrageous. It is still infinitely more secure than Windows despite the ignorant claims of MS fanboys. Get back to me when a 12 year old who couldn't tell you what a stack is much less how to 'smash the stack' successfully exploit OSX or Linux. They do it every day in Windows.

[Kwasiowusu]

@ The_Decider :"Most of these are third party apps and nothing to do with the OS".
Well, exactly the same argument can be made with the overwheling mnajority of Windows security issues, and Windows has has vastly more applications than the Mac OS X has.

[The_Decider]

Really? Given that nonsense like IE, WMP, etc are part of the OS your claims are garbage. Even with those flaws listed here, the OS security is tight. Windows is like a w ****, with its legs spread open letting any and all have access. Did any of them get exploited? No, what a shocker. Because you drag out more ignorance and claim market share is the cause, you should know that a secure app is secure with 1 user or 1 billion users. An insecure app is insecure with 1 user or 1billions users. Look no further then the number of flaws and exploits in the server market in comparison with market share and your claims will look as ill informed as they are. Look at the thousands and thousands of flaws fixed by MS every year, those are OS issues because Windows doesn't have an update system for everything. The overwhelming majority of exploits in Windows comes from Windows flaws. You don't even know what you are arguing. At least MS fans are consistently ignorant about tech matters.

[Kwasiowusu]

Yeah?
Microsoft has IE and WMP in Windows so no security holes come from outsidde applications??
Ummmm.....I gotta point out that Apple includes Safari and Quicktime already included in Mac OSX as well, no?.
Look who's talking garnage now?
Hey, you slip is showing. Just take your biitter medicine and can it.

[Had_to_be_said]

> The_Decider <, dont bother arguing with "Kwasiowusu". I think you are responding to a child.

"Kwasiowusu" doesnt know the difference between an integrated OS-component, and an application. He doesnt know the difference between a flaw and an exploit. He is, apparently, completely ignorant of the thousands of documented Windows flaws, and tens of thousands of Windows-Viruses (that already exist in the wild).

"Kwasiowusu" doesnt have a clue about how computers actually work. Every line he posts... drips with, glaring-ignorance. Nor, does it seem, he is actually capable of anything other than blustering... name-calling, and clearly childish-responses.

In short, his entire purpose is, simply, to disrupt intelligent discourse, amongst his betters.

So... I suggest, you dont even bother. And, maybe, his mommy will get home, and he will have to go away to do his homework... and leave the adults to discussing the real-technology issues.

[Vegaman_Dan]

You know, you yourself are always jumping on any and all posts about security issues with Windows- even when the issue are clearly stated in the articles that they are caused by third party apps. In other words, you may want to remove your foot out of your mouth before you post comments in direct contradiction to your own words.

[kevinskrause]

I am confounded. You constantly bash CNET and yet I always find your name at the top of the reply list to most articles. Admittedly so, I am not very computer literate but I do enjoy using my Mac; it has inspired me to learn. Fact is, it?s not what you say that bothers most readers, including myself, but how you say it. You come off as being very arrogant. You don?t always have to be combative to make a point; some of your ideas are justified and well constructed. So please, take a deep breath, pull that stick from your @$$, and let?s start over.

[trevorbsmith]

You reference Safari 3.2.1 at the top of this article, but the actual tech notes say Safari is updated to 3.1.2 (and indeed, after the update was applied, Safari sits at 3.1.2 on my system). Might that be a typo?

[pcoogan]

A "new version" wow, you have got to love Apples marketing team. That makes me feel so much better now, that I didn?t buy a PC. PC users have to download bundles of patches every month. Where as I get a whole new version, for free. Which is nothing like a bundle of patches, right?

[jamalystic]

Glad to learn that Apple is doing these security patches. I read the following scathing attack from a security expert about Apple's percieve arrogance when it comes to secuirty issues. May be these security patches will answer hos questions: Apple's Arrogant Attitude About Security ( http://www.internetevolution.com/author.asp?section_id=515&doc_id=142628&F_src=flftwo)

[ittesi259]

You say this like Apple has never had security issues or refuses to recognize them....the difference here is they didn't wait 18 months like some other people while there was active exploits all over the place.

[M C]

LOL. some security dude didn't get the personal attention he thought he deserved. There seems to be an almost script-kiddie-like need for self-promotion in the security business. CNet feeds that nicely, I might add, with their lack of research.

[ittesi259]

Learn a little bit about numbering conventions used in most software projects and you'd know this isn't being billed as a new version of the software.

[someguy999]

I'm sorry, I don't know what everyone's talking about... Apple is built on linux and as we all know linux has no security threats, the author must be mistaken.

[Thomas, David]

Oh my. This was simply proactive updates, as well as changes for the operating system. Starting a religious war is non-productive, and illustrates an extremely narrow-minded thought pattern.

For those pointing to Apple updates as proof the operating system if flawed, that is backwards thinking. To me, and every real professional, it's proof they fix things before moving on and trying to sell something else. However, the most important fact, they fix things before their customers are harmed.

Bottom-line, it's just another update.

[cannabisindica]

Good for Apple - Now will you PLEASE get an update that stops my new 15" MBP crashing twice a day!