Apple fixes hole with Mac OS X image viewing

Apple security update fixes problems with image handling and other issues that could allow an attacker to take control of a Mac using remote code execution.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Aug. 5, 2009 4:09 p.m. PT

Apple on Wednesday issued a security update that fixes 18 vulnerabilities including several that put computers running Mac OS X at risk of remote code execution if a maliciously crafted image is viewed.

In addition to fixing a problem with how PNG images are handled, Security Update 2009-003 fixes issues related to ImageIO's handling of OpenEXR images, EXIF metadata, as well as Canon RAW images and images with an embedded ColorSync profile.

The update, which arrives as part of the release of Mac OS X v10.5.8, extends the list of content types the Mac OS X will flag as potentially unsafe when downloaded from the Web. It also fixes a problem with how XML content is handled and resolves the way the kernel handles AppleTalk response packets.

Apple also identified and fixed a problem with MobileMe. Signing out of MobileMe does not remove all credentials and a person with access to the local user account could continue to access associated systems.