Apple posts Security Update 2005-001 for Mac OS X 10.3.7 and 10.2.8

Apple has released Security Update 2005-001 for both Mac OS X 10.3.7 and Mac OS X 10.2.8.

This is the first Security Update to follow Apple's new naming scheme, which has changed from a date format (e.g., "Security Update 2004-12-02") to a format based on the year and a sequence number: Security Update YYYY-NNN. For example, the update released today is named "Security Update 2005-001", the next would be "Security Update 2005-002" and so on.

Security Update 2005-001 provides the following refinements, broken down by component:

• Component: at commands
• Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
• Impact: Updates the "at" commands to address a local privilege escalation vulnerability
• Description: The "at" family of commands did not properly drop privileges. This could allow a local user to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files. This update patches the commands at, atrm, batch, atq, and atrun. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue.

• Component: ColorSync
• Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
• Impact: Malformed ICC color profiles could overwrite the program heap, resulting in arbitrary code execution.
• Description: An out-of-specification or improperly embedded ICC color profile could overwrite the program heap and allow arbitrary code execution. There are no known exploits for this issue. With this update, ColorSync will reject incorrectly-formed ICC color profiles.

• Component: libxml2
• Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
• Impact: The libxml2 library contains unsafe code that may be exploited in applications linked against it.
• Description: This update fixes several functions in the libxml2 library that have been identified as unsafe due to potentially exploitable buffer overflows.

• Component: Mail
• Available for: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7
• Impact: Email messages sent from a single machine can be identified
• Description: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Mail now hides this information by computing the Message-ID using a cryptographic hash of the GUUID concatenated with data from /dev/random. Credit to Carl Purvis for reporting this issue.

• Component: PHP
• Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
• Impact: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code
• Description: PHP is updated to version 4.3.10 to address several issues. The PHP release announcement for version 4.3.10 is located at http://www.php.net/release_4_3_10.php.

• Component: Safari
• Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
• Impact: When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site
• Description: If the "Block Pop-Up Windows" feature is enabled, then this issue does not occur. If the "Block Pop-Up Windows" feature is not enabled, a user can be mislead about the content of a Pop-up window if they used an untrusted link to navigate to a site they wanted to view. This update corrects the issue regardless of the "Block Pop-Up Windows" setting. Credit to Secunia Research for reporting this issue.

• Component: SquirrelMail
• Available for: Mac OS X Server 10.3.7
• Impact: SquirrelMail is updated to address a cross-site scripting vulnerability
• Description: A cross-site scripting vulnerability in SquirrelMail allowed email messages to contain content that would be rendered by a user's web browser. SquirrelMail is updated to address this issue. Further details are available from the SquirrelMail website: http://www.squirrelmail.org/.

Security Update 2005-001 is available either through Software Update, or as a series of Web downloads:

• Security Update 2005-001 (Mac OS X 10.2.8 Client) 1.0 18MB
• Security Update 2005-001 (Mac OS X 10.2.8 Server) 1.0 18MB
• Security Update 2005-001 (Mac OS X 10.3.7 Client) 1.0 7MB
• Security Update 2005-001 (Mac OS X 10.3.7 Server) 1.0 7MB

Several readers have reported new notifications when repairing permissions with Disk Utility after applying the update, specifically:

• We are using a special uid for the file or directory ./private/var/at/jobs. New uid is 1
• We are using a special uid for the file or directory ./private/var/at/spool. New uid is 1

• These messages are normal and can be safely ignored.

If you are having any problems with Security Update 2005-001, please let us know at late-breakers@macfixit.com.

Resources