Mac OS X Patch Day: 40 security flaws fixed

Summary:Apple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks.

40 security flaws fixed
Apple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.

The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks.

The more serious vulnerabilities include:

  • Apache: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364) Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery.  Note: Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.
  • ClamAV:  (CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914) Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution.
  • ColorSync CVE-2008-3642) A buffer overflow exists in the handling of images  with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2008-3641) A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges.
  • libxslt (CVE-2008-1767)  A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.
  • MySQL Server (CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079) MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PHP (CVE-2007-4850, CVE-2008-0674, CVE-2008-2371) PHP is updated to  version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PSNormalizer (CVE-2008-3647) A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution.
  • QuickLook (CVE-2008-4211) A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.

Topics: Security, Apple, Hardware, Operating Systems, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.