Apple fixes 26 Mac OS flaws

Some of the vulnerabilities are serious and could be used in malicious attacks to commandeer Macs.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Apple Computer issued on Tuesday updates for its Mac OS X operating system to fix 26 security flaws, some serious.

Several of the vulnerabilities affect the way in which Mac OS X handles images and the file-sharing capabilities of the software, according to an Apple security advisory. Other flaws were found and fixed within components such as Fetchmail, file compression features, and DHCP networking functionality, Apple said.

The vulnerabilities could enable a variety of attacks, security company Symantec said in an advisory sent out to customers of its DeepSight intelligence service. "Remote attackers can execute arbitrary code, trigger denial-of-service conditions, elevate privileges, and disclose potentially sensitive information," Symantec said.

Apple credits a number of security researchers with finding the flaws. These include researchers employed by Google and Mozilla, as well as Tom Ferris, a freelance security researcher who has disclosed limited information on some Apple bugs in the past.

The bulk of the Mac OS X flaws affect both the client and server versions of the operating system. Attackers could exploit several of the vulnerabilities, specifically those related to image processing and file compression, by crafting malicious files and tricking people into opening them, Apple said. This attack method is seen often on computers that run Microsoft's Windows operating system.

A handful of flaws related to file sharing, handled by the Mac OS X AFP server, could expose user data or let a malicious user gain elevated privileges a system running Mac OS X or cause a crash, Apple said.

The update also increases the length of the passkey used for pairing Bluetooth devices with Mac computers, Apple said. This could provide enhanced security for the use of Macs with wireless devices that use Bluetooth technology.

Mac OS X users are urged to upgrade in order to protect their systems against possible attacks that may exploit the flaws. Symantec said that it doesn't know of current attack code for any of the issues, though some may not require specific exploit code, the company said.

Apple has released Security Update 2006-004 to address the issues. The update is available from the Software Update pane in System Preferences on Mac OS X systems or through Apple's Web site. Until now, Apple's most recent security update came out in late June.