Apple delivers hefty patch haul; Addresses Leopard flaws and Safari

Apple delivers hefty patch haul; Addresses Leopard flaws and Safari

Summary: Apple on Monday delivered another 41 patches to address multiple vulnerabilities in Mac OS X and Mac OS X Server including more than a few for Leopard.The security update, which matches last month's patch crop from Apple, features a few common threads.

SHARE:

Apple on Monday delivered another 41 patches to address multiple vulnerabilities in Mac OS X and Mac OS X Server including more than a few for Leopard.

The security update, which matches last month's patch crop from Apple, features a few common threads. Among them:

  • Leopard and Tiger are affected;
  • The patches mostly cover flaws that allow hackers to take over your system;
  • Execution holes abound throughout Mac OS X in iChat,  Core Foundation, Quick Look and Desktop Services;
  • Apple has been busy on the security front. Last week, Apple delivered a Java runtime update and patched a bunch of QuickTime. QuickTime has been under fire of late.

In any case, it is recommended that you update. Here's the laundry list of Apple's latest round of patches.

CVE-2007-4708: This plugs vulnerability in Address Book's URL handler. Apple says: "By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings." Versions affected include Mac OS X v10.4.11 and Mac OS X Server v10.4.11. Anyone running Mac OS X 10.5 or later isn't affected.

CVE-2007-4709: This one covers the Mac OS X v10.5.1, Mac OS X Server v10.5.1--also known as Leopard. The problem: "A path traversal issue exists in CFNetwork's handling of downloaded files," said Apple. In a nutshell, visiting a malicious Web site could allow the automatic download of files to arbitrary folders, which is a nice way of saying your computer has been hijacked.

CVE-2007-4710: This covers Mac OS X v10.4.11, Mac OS X Server v10.4.11 and doesn't affect Leopard. Specifically, Apple is addressing ColorSync. The issue: "Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution." Leopard not affected.

CVE-2007-5847: Again, this ditty covers Mac OS X v10.4.11, Mac OS X Server v10.4.11. (See a trend here yet?). The problem is Core Foundation, which could disclose sensitive information. Leopard not affected.

CVE-2007-5848: This one covers a CUPs vulnerability in a printer driver. Apple says "a local admin user may be able to gain system privileges." Leopard not affected.

CVE-2007-4351: Another CUPS problem and this one affects Leopard. Specifically, the OS X flavors impacted include Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The update corrects for a memory corruption issue in the handling of Internet Printing Protocol tags that could lead to an application crash or arbitrary code execution.

CVE-2007-5849: Another CUPs issue affecting Leopard and Leopard Server. Apple says: "If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution. Description: "The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers."

CVE-2007-5850: This one covers desktop services in Mac OS X v10.4.11, Mac OS X Server v10.4.11. Leopard isn't impacted. The gist: There's a buffer overflow problem in Finder that can lead to an arbitrary code execution. Leopard not affected.

CVE-2007-5476: Affects the Flash Player plug-in for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1 and Mac OS X Server v10.5.1. There are multiple vulnerabilities addressed by Adobe.

CVE-2007-4131: This one corrects a "maliciously crafted tar archive," an issue with GNU Tar. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11, but Leopard in the clear.

CVE-2007-5851: iChat is the issue here. The problem: A person on local network may initiate a video connection without permission. Leopard not impacted, but does cover Mac OS X v10.4.11 and Mac OS X Server v10.4.11.

CVE-2007-5853: IO storage issue where "opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution. Leopard in the clear, but Mac OS X v10.4.11, Mac OS X Server v10.4.11 isn't.

CVE-2007-5854: This one fixes launch services in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The problem: "Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting."

CVE-2007-6165: Another launch services problem, this time "opening an executable mail attachment may lead to arbitrary code execution with no warning." Affects Leopard and Leopard Server.

CVE-2007-5855: Affects mail on Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The problem: "SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available."

CVE-2007-5116 and CVE-2007-4965: Addresses problems with perl and python, respectively. Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 impacted.

CVE-2007-5856 and CVE-2007-5857: Both address Quick Look vulnerabilities in Leopard. Previewing a movie can disclose sensitive information. There are also some URL access issues.

CVE-2007-5770 and CVE-2007-5379, CVE-2007-5380, CVE-2007-6077: Vulnerabilities abound in Ruby libraries and Rails 1.2.3. The first one listed impacts. Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The remainder CVEs impact Leopard only.

CVE-2007-5858: A Safari fix for a information disclosure flaw. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. Also impacts Safari 3 Beta on Windows XP and Vista.

CVE-2007-5859: Safari RSS has issues on Mac OS X v10.4.11, Mac OS X Server v10.4.11. Maliciously crafted feed may lead to application termination or arbitrary code execution. Leopard not affected.

CVE-2007-4572, CVE-2007-5398: Addresses Samba vulnerabilities. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1.

CVE-2006-0024: Addresses Shockwave woes in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1.

CVE-2007-3876: Apple says: "A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2007-5863: Even Software Update has a few flaws. Leopard impacted by "a man-in-the-middle attack could cause Software Update to execute arbitrary commands execution with system privileges."

CVE-2007-5860: Spin Tracer flaw affecting Leopard. "A local user may be able to execute arbitrary code with system privileges."

CVE-2007-5861: Addresses Spotlight flaws. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2007-1218, CVE-2007-3798: Vulnerabilities abound in tcpdump. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768: Multiple vulnerabilities plugged in XQuery. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.

Topics: Servers, Apple, Hardware, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

81 comments
Log in or register to join the discussion
  • Welcome to the nightmare

    Perhaps we could all agree now that all OSs have problems and the belief that somehow Apple's programmers are SPECIAL (and I'm sure they are ;-)) and just don't make mistakes in design or execution is just wrong.

    Of course given Apple's media campaigns and the blind worship of their followers, this is somewhat ironic and also paints Apple as amateurs in the OS business. After years of sneering at MS, you think they could have made a list of common problems and made sure they didn't occur in their new OS, but pride surely comes before a fall.

    For all the apologists - just get over it. Software will always have bugs and exploits as, apart from the human errors, you cannot simulate reality with a bunch of IF-THEN or CASE statements. What matters is the bugs get fixed properly in a reasonable time and we all move forward.

    So welcome to the real world Mac users and try using a smile instead of a sneer.
    tonymcs@...
    • OK, STOP RIGHT HERE AND LOOK

      For once, I have to say ZDNET did an admirable job of reporting use information. A
      security update is available and should be applies.

      Then we start see lame comments that seek to divide the computing community
      into camps again. Without comment on the post itself (although I wonder what
      could have been so bad in the several posts that have been deleted?) all I would
      say is the bloggers are MOST at fault here for the negative tone that carries THIS
      blog into the gutter.

      Frankly, I'd say if you're on a Windows machine and like it. Good for you. If you're
      on a Mac and like it good for you. But there is simply no need to "bash" one another
      because our computer is different than someone else's. That is just plain childish.

      So go sit in the corner for 30 minutes with a funny hat on and when you're ready to
      play nice, come back. Otherwise, it's off to the principal's office with you!

      Now the rest of the class will have 10 minutes of play time... <sigh>
      musician88
      • The problem

        The problem here is that you have Apple ads telling us how much more secure their software is. And whenever MS releases a patch that contains just a few security fixes we need to hear from Kool-Aid drenched Apple fanboys how it proves that Windows is less secure.

        So please excuse the rest of us for pointing out that Apple in fact fixes way more holes whenever they releases Yet Another Monster Patch. And these are not minor issues. These are remote execution holes combined with privilege escalation holes. Something that hackers will kill for on a platform if only that platform had any real level of marketshare.
        Qbt
        • False reasoning

          OK, there is so much false reasoning flying around it defies imagination.

          Apple can run ads claiming to be more secure if they want to. They haven't had
          nearly the level of exploited security holes on their systems (yet) that Windows has
          had. The important factor here is *exploited*, past tense, actual real world, non-
          theoretical attacks on systems.

          You claim that a security patch from Apple with a long list of items indicates that
          Apple's OS is less secure. Um... no. That tells us nothing about either platform in
          terms of security. It could be that XP or Vista has just as many holes but MS has yet
          to discover or fix them.

          I'm not going to bother to study the list of fixes, but Mac users have seen enough
          security *experts* claim that OS X is terribly insecure because of a remote
          execution or privilege escalation hole that ended up requiring initial local access or
          social engineering scheme to allow the actual compromise to occur. Mac users will
          get bitten some day, just like Windows users have been bitten countless times, but
          up to this point, the security *experts* look rather foolish in their attempts to
          create drama where it doesn't exist.
          themacolyte
          • False security

            When a flaw is discovered and is fully exploitable, the fact that someone hasn't taken advantage of it does not lessen the fact there is an exploitable flaw. An exploitable flaw is just that, and based on your theory you are ok to not take updates. (actually your are right and only for one reason)<br>
            In fact Apple was proven to have a remotely exploitable flaw but Apple covered it up the very day it was released to the public, but finding and fixing via "routine security review".
            Everyone that is not so bent on the idea of an unblemished system knows what was going on there. <br>
            Let's not go down this road over and over. Windows is obviously almost exclusively targeted since any attack a terrorist wanting to disrupt US commerce or criminal organizations wanting to steal identities, decides to make, he knows that over 90% of the time he will be hitting Windows machines and have a much far reaching affect and scale so massive it would never make sense to do otherwise. <br>
            There is no reason, period, for real hackers with the equipment and skill and numbers to go after OS X, it would be a totally unprofitable venture. It would be like a business deciding between two markets, one with a rich economy and much wealth among the people (users) to buy their product and another market in the Sahara desert with a population only fractional of the other market and no economy or money except for a few....
            Its not even worth discussing.
            xuniL_z
          • False motivation

            Let's face it, the true reason for the gleeful Apple bashing over its latest patches is
            that lots of long time Windows users, who hate the idea of trying something new,
            try to minimize Mac's advantages instead. That way they can justify remaining in
            their little Windows cocoon.

            If you had been paying attention, the point of the "False reasoning" talkback to
            which you replied was that real world exploits of Macs are far fewer than Windows.
            It doesn't matter to users whether that's due to better OS design or a lower market
            share. That's not false security, it's a genuine advantage (not to be confused with
            WGA which is another thing entirely).

            Incidentally, most Mac users were forced long ago to be Windows users also, so
            unlike other Windows users, we know what we're talking about. The
            characterization of "fanboy" fits the other foot.
            Robert Kohlenberger
          • False reaoning.

            So if everyone comes out of their little cocoon and jumps on the OS X bandwagon and it does then reach a critical level of marketshare, what have we gained? How can it stay small and niche if you keep talking this way. You shoud be keeping it hush hush, so as to retain your security for generations to come. Let's face it, with the patch track record of Apple, and it's not just the last few years, get with it, it's always been this way, if Apple has windows market OS X would be blown out of the water.
            <br>
            However, Vista changes everything. It's more secure than Leopard based on the blog a few weeks ago about security experts take on Vista....actually considerably moreso if you believe that blog. I personally saw Mac camp people who are not zealots, conceding to that fact. <br>
            So now we have a Windows that is much more secure, why would anyone want OS X? Have you even looked at the iTunes interface? It's a mess. Text stepping overtop button controls, manual procedures to move your library of files. You literally have to drag and drop them....per Apple help files.
            xuniL_z
          • Re: False motivation

            Quoted: Let's face it, the true reason for the gleeful Apple bashing over its latest patches is that lots of long time Windows users, who hate the idea of trying something new, try to minimize Mac's advantages instead. That way they can justify remaining in their little Windows cocoon.

            First one this one, I am sure I speak for a lot here when I say it's not bashing on Apple because we are Windows users not willing to try new things. For most of those here that use windows it is because the Mac computer is proprietary and when you would like to upgrade you will spend an average of 10% to 20% for the upgrade compared to a PC with a similar upgrade. Also and this supports the proprietary statement, A very large group of PC users started a discussion about how nice it would be for Apple Corp. to port OSX to the PC platform. Apple Corp. took the whole group to court to get the blog off the internet and succeeded. On the proprietary side lets look at the most basic item, the keyboard, Apple corp price for a regular mac keyboard $49.00 on their website, regular keyboard for PC $10.00 or less found almost everywhere you shop.that same $49.00 can get a PC user a fully featured wireless RF keyboard. so before we go bashing on each other lets look around and see what facts we can come up with.


            QUOTED: Incidentally, most Mac users were forced long ago to be Windows users also, so unlike other Windows users, we know what we're talking about. The characterization of "fanboy" fits the other foot.

            First on this one is any forcing of people to change their OS is a bad statement, no one pointed a gun to their head and said you have to switch to Windows OS. Lets face it and go back a little and look at the possibilities. Is it possible these people made the decision of their own accord? Is it possible something Windows did or maybe even Linux (lets not leave the 3rd OS provider out) did something good that made these people decide to switch. and my third possible theory on it which most Mac users will scoff at, did Apple Corp. maybe do something that made them switch over. All of these are possibilities.
            WV_z
          • goalposts?

            Love how the goalposts shift. Firstly the fanbois espouse how their system has *no* vulnerabilities. Then the vulnerabilities come. Then they rave about how the vulnerabilities haven't been *exploited*, so they don't really count. Hmmm, wonder what the logical progression here is, and what they're going to rant about once the vulnerabilities are exploited? Nice keyboards?
            penno2
          • False Logic

            Just because Windows is more exploited than Macs, doesn't mean that Windows is less secure. A flaw is a flaw no matter how little it is exploited. The only way Macs can actually claim it is more secure than Windows is if there are indeed less flaws.
            aka_tripleB@...
        • No money

          If these super-big holes are on the Macintosh platform, why get yer underwear all in a
          bind feller? Everyone knows hackers don't bother messin' with Macs because there
          ain't on money in that kinda thing. IOW, it's a non-issue since they like Windows big
          holes so much better!
          Chiatzu
    • OK, STOP RIGHT HERE AND LOOK

      For once, I have to say ZDNET did an admirable job of reporting useful information.
      A security update is available and should be applied.

      Then we start see lame comments that seek to divide the computing community
      into camps again. Without comment on the post itself (although I wonder what
      could have been so bad in the several reply posts that have been deleted?) all I
      would say is the bloggers are MOST at fault here for the negative tone that carries
      THIS blog into the gutter.

      Frankly, I'd say if you're on a Windows machine and like it. Good for you. If you're
      on a Mac and like it good for you. But there is simply no need to "bash" one another
      because our computer is different than someone else's. That is just plain childish.

      So go sit in the corner for 30 minutes with a funny hat on and when you're ready to
      play nice, come back. Otherwise, it's off to the principal's office with you!

      Now the rest of the class will have 10 minutes of play time... <sigh>
      musician88
    • Leopard does hurt

      Both Apple and Microsoft have their FanBoys and Doomsayers. Its clear that Apple
      is getting a black eye with Leopard similar to the one Microsoft got with Vista.

      It may hurt Apple worse as reliability and robustness has been an Apple selling
      point.

      I'll still take Leopard over Vista and Mac over PC anyway as even though Apple is far
      from perfect, its still far better than Microsoft. Even Leopard as bad as it is (and its
      a far cry from Tiger indeed) causes me less grief on a daily basis than XP.

      Very disappointing but still better. Apple, get your act together because if you
      loose differentiation from Microsoft, you won't grow market share.
      jimboutilier
      • Still

        Vista hasn't given me half the fits leopard has. I was really hoping for great things with leopard and was disappointed to find an os that feels rushed out the door, and buggier than anything I've ever had on this box.
        Spiritusindomit@...
      • except...

        except that the majority of these patches didnt affect OSX 10.5 as far as i can tell.
        doh123
  • RE: Apple delivers hefty patch haul; Addresses Leopard flaws and Safari

    Just installed these patches, and it broke all my MS Apps - Word, Excel, Powerpoint, Entourage....

    WTF!
    lleake
    • Entourage

      These patches couldn't have made Entourage any worse than it already is. ;) It was the world's worst email client going in.
      Larry Dignan
    • Nor mine...

      Sounds like you might have bigger problems. I applied the patch last night, fired up Word 2004 without difficulty this morning.
      online@...
    • Personal?

      Installed the OS X patches last night, and all my (legal) MS Office for Mac v.X
      apps work just fine on my Intel Core 2 Duo iMac. Maybe your versions are
      different, or maybe it's just personal.
      frabjous
  • YEAH GREAT POST!!!!!

    Totally right my friend. There are NO issues with OS X because there are issues with Win$ux!! That's a fact!
    NonZealot