X

Apple patches 25 flaws with latest update

With the release of a new version of Mac OS X Leopard comes security updates for that operating system and earlier versions.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
6 min read

On Monday, Apple released Mac OS X 10.5.4. In addition to enhancements to existing features, Apple bundled in 13 specific security updates, including one for Safari 3.1.2. The security update APPLE-SA-2008-004 and Mac OS X 10.5.4 can be downloaded and installed from Apple Downloads.

Alias Manager
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses an alias manager vulnerability described in CVE-2008-2308. According to Apple, a "memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier."

CoreTypes
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a potentially unsafe content types vulnerability described in CVE-2008-2309. Apple says, "This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a Web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature." Apple credits Brian Mastenbrook for reporting this issue.

c++filt
This patch affects users of Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a c++filt vulnerability described in CVE-2008-2310. Apple says that a "format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings."

Dock
This patch only affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a screen lock bypass vulnerability described in CVE-2008-2314. "When the system is set to require a password to wake from sleep or screen saver, and Expose hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active," Apple says. Apple credits Andrew Cassell of Marine Spill Response for reporting this issue.

Launch Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a maliciously crafted Web site vulnerability described in CVE-2008-2311. "A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation," Apple says. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted Web site may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files."

Net-SNMP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a SNMPv3 packet vulnerability described in CVE-2008-0960. Apple says an "issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses Ruby script vulnerabilities described in CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, and CVE-2008-2726. Apple says that "multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The WEBRick vulnerability described in CVE-2008-1145. Apple says that "the :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names." The directory traversal issue associated with this vulnerability does not affect Mac OS X.

SMB File Server
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the heap buffer overflow vulnerability described in CVE-2008-1105. Apple says that "sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.

System Configuration
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the User Template directory vulnerability described in CVE-2008-2313. Apple says "a local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later." Apple credits Andrew Mortensen of the University of Michigan for reporting this issue.

Tomcat
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses Tomcat 4.1.36 vulnerabilities described in CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, and CVE-2007-5461. Apple says "Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Tomcat version 6.x is bundled with Mac OS X v10.5 systems.

VPN
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a divide by zero vulnerability described in CVE-2007-6276. Apple says that "processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5."

WebKit
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses the memory corruption vulnerability described in CVE-2008-2307. Apple says "visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP/Vista, this issue is addressed in Safari v3.1.2 for those systems. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution." Apple credits James Urquhart for reporting this issue.