Apple on Monday dropped 10 patches addressing eight vulnerabilities in Mac OS X 10.5, also known as Leopard. One patch addresses a Tiger flaw that was described on the Month of Apple Bugs web site almost a year ago.
Apple issued a patch for an arbitrary code execution flaw that impacts Mac OS X 10.4.11 and its OS X Server counterpart. This directory services issue (CVE-2007-0355) was described on the Month of Apple Bugs web site. Last March Apple fixed a bunch of vulnerabilities that seemed to have vindicated MOAB hackers. It appears Apple let one vulnerability from that project slip through.
Here's Apple's description:
A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.
Aside from that MOAB flaw in Tiger, the bulk of Apple's patch haul was designed to plug Leopard.
By the CVEs for Leopard:
- CVE-2008-0035: Affects Leopard and its server counterpart. Apple says "accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution." The issue resides in Safari's handling of URLs. The doesn't affect any system prior to Mac OS X v10.5.
- CVE-2008-0038: Apple issued a patch so an application removed from the system couldn't be launched via Time Machine's backup. Obviously this could get sticky if you had a malicious program that was stored in Time Machine. Talk about bad memories. Affects Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1.
- CVE-2008-0040: This flaw addresses an NFS issue in Leopard OS X and Server. Apple noted: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.
- CVE-2008-0041: Apple patched a parental control issue. In a nutshell, a remote user could find machines with parental controls, request an unblock and swipe information. Affects Leopard OS X and Server.
- CVE-2007-4568: Multiple vulnerabilities were found in the X 11 X Font Server in Leopard.
- CVE-2008-0037: Another X11 issue. This flaw meant that you couldn't change security preferences. Apple said: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.
CVEs for both Leopard and Tiger:
- CVE-2007-6015: This one affects both Leopard and Tiger. "A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests," says Apple.
- CVE-2008-0042: Apple patched its Terminal app, which could allow an arbitrary code execution if a user viewed an maliciously crafted web page.
CVEs for Tiger:
CVE-2008-0039: Apple patched an arbitrary code execution flaw in its mail application for Mac OS X v10.4.11 and Mac OS X Server v10.4.11. Apple says:
An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message.