Apple has released Security Update 2007-003 for both the client and server editions of Mac OS X 10.3.9. This release largely eliminates the same vulnerabilities addressed by Mac OS X 10.4.9 (also released today), but for Panther users.
Many of the flaws resolved are those mentioned by the "Month of Apple Bugs" campaign, which Apple credits in its release notes.
Components affected by this release include:
- Crash Reporter
- Directory Services
- DiskImages Framework
- Flash Player Plug-in
- Print Center
- Viewing a malformed PDF Document may lead to an application hang CoreGraphics has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-06-01-2007), which may lead to an application hang.
- Mounting a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution A memory corruption vulnerability exists in diskimages-helper. By enticing a user to open a maliciously-crafted compressed disk image, an attacker could trigger this issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of disk images.
- Downloading a maliciously-crafted disk image may lead to an unexpected system shutdown or arbitrary code execution Several vulnerabilities exist in the processing of disk images that may lead to an unexpected termination of system operations or arbitrary code execution. These have been described on the Month of Kernel Bugs and Month of Apple Bugs web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006, MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a disk image may be automatically mounted when visiting web sites, this allows a malicious web site to cause a denial of service. This update addresses the issue by performing additional validation of downloaded disk images prior to mounting them.
- Playing maliciously-crafted Flash content could allow an HTTP request splitting attack Adobe Flash Player is updated to version 220.127.116.11 to fix a potential vulnerability that could allow HTTP request splitting attacks. This issue is described as APSB06-18 on the Adobe web site at http://www.adobe.com/support/security.
- Console keyboard events are exposed to other users on the local system Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue.
- Malicious local users may be able to cause an unexpected termination of system operations or execute arbitrary code with elevated privileges A memory corruption issue exists in the AppleTalk protocol handler. This could allow a malicious local user to cause a kernel panic or gain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-27-11-2006). This update addresses the issue by performing additional validation of the input data structures.
- Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution A format string vulnerability exists in the Software Update application. By enticing a user to download and open a Software Update Catalog file, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-24-01-2007). This update addresses the issue by removing document bindings for Software Update Catalogs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.
Security Update 2007-003 for Mac OS X 10.3.9 (client and server) is available through Software Update or via the following standalone download links:
Problems after applying this update? Please let us know.