Apple monster update fixes 41 Mac OS X, Safari vulnerabilities

Summary:Apple today released a monster update to provide belated cover for at least 41 security holes in its flagship Mac operating system.

Apple today released a monster update to provide belated cover for at least 41 security holes in its flagship Mac operating system.

With Security Update 2007-008 and Mac OS X v10.4.11, Apple patches multiple "highly critical" flaws that could cause unexpected system shutdowns, drive-by-malware downloads and remote code execution attacks.

Apple monster update fixes 41 Mac OS X, Safari vulnerabilities

The company also shipped a new version of Safari for Windows (beta) to patch 10 browser vulnerabilities affecting Windows XP and Vista users.

Some of the most serious vulnerabilities include:

CVE-2007-4691: A case-sensitivity issue exists in NSURL when determining if a URL references the local file system. This may cause a caller of the API to make incorrect security decisions, potentially leading to the execution of files on the local system or network volumes without appropriate warnings.

CVE-2007-4689: A double-free issue exists in the handling of certain IPV6 packets, which may lead to an unexpected system shutdown or arbitrary code execution with system privileges.

[ SEE: Safari on Windows could be big target for malware ]

CVE-2007-4690: A double free issue in NFS may be triggered when processing an AUTH_UNIX RPC call. By sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP, a remote attacker may cause an unexpected system

Apple monster update fixes 41 Mac OS X, Safari vulnerabilities
shutdown or arbitrary code execution.

CVE-2007-4681: A one byte buffer overflow may occur in CoreFoundation when listing the contents of a directory. By enticing a user to read a maliciously crafted directory hierarchy, an attacker may cause an unexpected application termination or arbitrary code execution.

CVE-2007-4682: An uninitialized object pointer vulnerability exists in the handling of text content. By enticing a user to view maliciously crafted text content, an attacker may cause an unexpected application termination or arbitrary code execution.

[ SEE: DNS-changing Trojan opens Mac OS X floodgates ]

The Mac OS X update also fixes a denial-of-service bug in AppleRAID, a cache-poisoning issue in ISC BIND 9, multiple race conditions in bzip2, an implementation issue in CFFTP, several CFNetwork vulnerabilities, a code execution hole in the Flash Player Plug-in, a pair of Kerberos code execution issues and several kernel vulnerabilities.

The Safari 3 Beta patch is also a high-priority update that fixes code execution holes in the browser. It is available for Windows XP and Vista.

Topics: Apple, Hardware, Operating Systems, Security, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.