X

Apple's October update fixes 20 security flaws

Here's a bushel of security updates from Apple, including a mix of Mac OS and open-source fixes. Some are specific to Apple features such as Single Sign On, Finder, and ColorSync.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
5 min read

With the release of its Apple SA-2008-10-09 security update on Thursday, the Cupertino, Calif.-based computer company provided patches for nearly two dozen software flaws.

Some of the fixes included in the update, which can be obtained from Apple's Software Downloads page, are specific to Apple features, such as Single Sign On, Finder, and ColorSync. But the release also addresses an error introduced in Mac OS X 10.5.5. Other fixes are updates to open-source projects, including Apache, ClamAV, PHP, and Tomcat.

Apache
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. It is an update to version 2.2.9 of Apache, addressing several issues detailed in CVE-2007-6420, CVE-2008-1678, and CVE-2008-2364, the most serious of which may lead to cross-site request forgery.

Certificates
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update adds several trusted certificates.

ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5.5. The update addresses the vulnerabilities detailed within CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, and CVE-2008-3914 by updating Mac OS users to ClamAV version 0.94..

ColorSync
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed in CVE-2008-3642, in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.

CUPS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the insecure file operation vulnerability within CVE-2008-3641, in which a remote attacker may be able to cause arbitrary code execution with the privileges of the "lp" user.

Finder
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses the detail within CVE-2008-3643, in which a maliciously crafted file on the Desktop causes the Finder to unexpectedly terminate when generating its icon. It will also cause Finder to continually terminate and restart. Apple credits Sergio 'shadown' Alvarez of N.runs for reporting the vulnerability.

Launchd
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses a vulnerability detailed within CVE-2008-3613, in which an issue introduced in Mac OS X v10.5.5 may cause an application's request to enter a sandbox to fail. This issue does not affect systems prior to Mac OS X v10.5.5.

Libxslt
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the issue detailed within CVE-2008-1767, in which viewing a maliciously crafted HTML page may trigger a buffer overflow and lead to an unexpected application termination or arbitrary code execution. Apple credits Anthony de Almeida Lopes of Outpost24 and Chris Evans of the Google Security Team with reporting this vulnerability.

MySQLServer
This patch affects users of Mac OS X Server v10.5.5. The update upgrades MySQL to version 5.0.67 to address the vulnerabilities outlined in CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227,CVE-2008-2079, the most serious of which may lead to arbitrary code execution.

Networking
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed within CVE- CVE-2008-3645, in which a heap buffer overflow exists in the local IPC component of Configd's EAPOLController plug-in, which may enable a local user to obtain system privileges. Apple credits itself for finding this vulnerability.

PHP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, and Mac OS X Server v10.5.5. The update upgrades PHP to version 4.4.9 to address the vulnerabilities detailed in CVE-2007-4850, CVE-2008-0674, and CVE-2008-2371, the most serious of which may lead to arbitrary code execution.

Postfix
This patch affects users of Mac OS X v10.5.5. The update addresses the vulnerability detailed within CVE-2008-3646, in which remote attacker may be able to send mail directly to local users. Apple credits Pelle Johansson for reporting this vulnerability.

PSNormalizer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed within CVE-2008-3647, in which viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding this vulnerability.

QuickLook
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses the vulnerability detailed within CVE-2008-4211, in which downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding this vulnerability.

Rlogin
This patch affects only users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability described in CVE-2008-4212, in which systems that have been manually configured to use Rlogin, and Host.equiv may unexpectedly permit root login. Apple credits Ralf Meyer for reporting this vulnerability.

Script Editor
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability described in CVE-2008-4214, in which a local user may gain the privileges of another user of Script Editor.

Single Sign On
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, and Mac OS X Server v10.5.5. The update addresses the vulnerability described in CVE-2008-4214, in which a local user may gain the privileges of another user of Script Editor.

Tomcat
This patch affects only users of Mac OS X Server v10.5.5. The update upgrades Tomcat on Mac OS X v10.5 systems to version 6.0.18 to address the vulnerabilities detailed in CVE- CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, and CVE-2007-5461, the most serious of which may lead to a cross-site scripting attack.

Vim
This patch affects users of Mac OS X v10.5.5 and Mac OS X Server v10.5.5. The update addresses the vulnerabilities detailed in CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, and CVE-2008-3294, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files.

Weblog
This patch affects users of Mac OS X Server v10.4.11. The update addresses a vulnerability described in CVE-2008-4215, in which access control on Weblog postings may not be enforced.