Someone get me rewrite: Apple delivers monster security update for OS X

Summary:Apple delivered a security update for Tiger and Leopard Tuesday with at least 80 patches addressing multiple vulnerabilities.You know it's a big patch haul from Apple when you read the advisory and:You're not sure where to begin;You're IMing fellow security folks (Ryan Naraine) to count CVE numbers for some clue of how many patches are included.

Apple delivered a security update for Tiger and Leopard Tuesday with at least 80 patches addressing multiple vulnerabilities.

You know it's a big patch haul from Apple when you read the advisory and:

  • You're not sure where to begin;
  • You're IMing fellow security folks (Ryan Naraine) to count CVE numbers for some clue of how many patches are included.

Depending on who was counting I've come up with about 85 CVE numbers, but there are some duplicates in there. Extract those and you still get a tally of roughly 80. The OS X update follows a Safari security update. Looks like Apple is updating its product line today.

Among the highlights:

  • ClamAV (CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728): This fix addresses multiple vulnerabilities in Mac OS X Server v10.5.2. Apple says: "Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution."
  • CUPS (CVE-2008-0047, CVE-2008-0053, CVE-2008-0882): Apple updated Mac OS X v10.5.2, Mac OS X Server v10.5.2 for "multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges."
  • Emacs (CVE-2007-5795): This update for Mac OS X v10.5.2 and Mac OS X Server v10.5.2 addresses a vulnerability that allows safe mode checks in Emacs to be bypassed.
  • OpenSSH (CVE-2007-4752): The update for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2 addresses a flaw in OpenSSH that allows a remote attacker "to execute arbitrary code with elevated privileges."
  • Printing (CVE-2008-0996): Apple updated Mac OS X v10.5.2 and Mac OS X Server v10.5.2 to thwart a print queue issue. Apple says: "An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5."
  • System Configuration (CVE-2008-0998): The update covers Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The problem: "The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects."

Topics: Operating Systems, Apple, Hardware, Security, Servers, Software

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.