X

Mac OS 10.5.5 packs fixes for slew of security flaws

The new version patches almost three dozen software flaws addressing specific Apple features and open-source projects alike.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
9 min read

With the release of Mac OS X 10.5.5 on Monday, the Cupertino, Calif., computer company provided patches for almost three dozen software flaws. Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects including Bind, ClamAV, OpenSSH, and Ruby.

Version 10.5.5 can be obtained from the Apple Software Downloads page.

ATS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.

BIND
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update upgrades users to BIND version 9.4.2-P2, which addresses performance issues associated with BIND version 9.4.2-P1.

ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.

Directory Services
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the log-in screen may be able to list user names. Apple says an information disclosure issue exists in Log-in Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed."

Directory Services II
This patch affects users of Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4. The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.

Finder
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the details within CVE-2008-2331 in which The Get Info window may not display the actual privileges for a file. Apple says "Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the file system Sharing & Permissions will take effect, but will not be displayed. This issue does not affect systems prior to Mac OS X v10.5." Apple credits Michel Colman for reporting the vulnerability.

Finder II
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4, specifically those running Mac OS X v10.5.2, MacBook Air running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4. The update addresses a vulnerability detailed within CVE-2008-3613, in which an attacker with access to the local network may cause a denial of service. Apple credits Yuxuan Wang of Sogou for reporting the vulnerability.

ImageIO
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue detailed within CVE-2008-2327, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple says multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images.

ImageIO II
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue detailed within CVE-2008-2332, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple says there's a memory corruption issue that exits in ImageIO's handling of TIFF images. Apple credits Robert Swiecki of Google Security Team for reporting this vulnerability.

ImageIO III
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE- CVE-2008-3608, in which viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. Apple says there's a memory corruption issue that exists in ImageIO's handling of embedded ICC profiles in JPEG images.

ImageIO IV
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-1382 in which libpng in ImageIO is updated to version 1.2.29. Apple adds that CVE-2008-1382 is not known to affect the use of libpng in ImageIO, so this update is applied as a precautionary measure.

Kernel
This patch affects users of Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-3609 in which files may be accessed by a local user who does not have the proper permissions. Apple says cached credentials are not always flushed when a vnode is recycled. Apple credits Nevin ":-)" Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas Tempelmann, and Ram Kolli for reporting this vulnerability.

Libresolv
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-1447, in which libresolv is susceptible to DNS cache poisoning and may return forged information. Apple explains that libresolv provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. Apple credits Dan Kaminsky of IOActive for reporting this vulnerability.

Login Window I
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed within CVE-2008-3610, in which a user may log in without providing a password. Apple explains that a race condition exists in Login Window. To trigger this issue, the system must have the guest account enabled or another account with no password. This issue does not affect systems prior to Mac OS X v10.5.

Login Window II
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the vulnerability described in CVE-2008-3611 in which person with access to the login screen may be able to change a user's password. Apple says that when a system has been configured to enforce policies on log-in passwords, users may be required to change their password in the log-in screen. If a password change fails, an error message is displayed, but the current password is not cleared and this may not be obvious to the user. Apple credits Christopher A. Grande of Middlesex Community College for reporting this vulnerability.

mDNSResponder
This patch affects users running Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses a buffer overflow vulnerability described in CVE-2008-1447 in which mDNSResponder is susceptible to DNS cache poisoning and may return forged information. Apple credits Dan Kaminsky of IOActive for reporting this vulnerability.

OpenSSH
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses multiple vulnerabilities in OpenSSH described in CVE-2008-1483 and CVE-2008-1657, the most serious of which is local X11 session control.

QuickDraw Manager
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the integer overflow vulnerability described in CVE-2008-3614, in which opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses a vulnerability described in CVE-2008-2376 in which running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution. Apple says there's an integer overflow in rb_ary_fill(), which implements the Ruby Array#fill method.

SearchKit
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses a vulnerability described in CVE-2008-3616 in which applications passing untrusted input to the SearchKit API may lead to an unexpected application termination or arbitrary code execution. Apple explains that an integer overflow issues exist in functions within the SearchKit framework.

System Configuration I
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the vulnerability described in CVE-2008-2312, in which a local user may obtain the PPP password. Apple says Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. Apple credits Hernan Ochoa of Core Security Technologies, Tore Halset of pvv.org, and Matt Johnston of the University Computer Club for reporting this vulnerability.

System Preferences I
This patch affects users of Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability described in CVE-2008-3617, in which users may be misled into believing their passwords are stronger than they are. Apple says "Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password. This update addresses the issue by limiting VNC viewer passwords to eight characters in the user interface." Apple credits Michal Fresel of hi competence e.U. for reporting this vulnerability.

System Preferences II
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the vulnerability described in CVE-2008-3618 in which authenticated users may have unexpected remote access to files and directories.

Time Machine
This patch affects users of Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability described in CVE-2008-3619 in which backing up a system with Time Machine may lead to the disclosure of sensitive information. Apple says that during a Time Machine Backup, several log files are saved to the backup drive with read permission allowed to other users and may lead to the disclosure of sensitive information.

VideoConference
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses vulnerability described in CVE-2008-3621, in which videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution. Apple says a memory corruption issue exists in the VideoConference framework's handling of H.264 encoded media.

Wiki Server
This patch affects users of Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses a divide by zero vulnerability described in CVE-2008-3622, in which a remote attacker may cause persistent JavaScript injection on a Wiki server. Apple says "the Wiki Server mailing list archive will execute JavaScript code embedded in messages. A remote person may send an email containing JavaScript code to a mailing list hosted on a Wiki server. Viewing the message from the Wiki Server mailing list archive will trigger the execution of the embedded JavaScript code on the system of the person viewing the message."