Apple issues patches for Leopard and MOAB flaw from 2007

Apple issues patches for Leopard and MOAB flaw from 2007

Summary: Apple on Monday dropped 10 patches addressing eight vulnerabilities in Mac OS X 10.5, also known as Leopard.

SHARE:

Apple on Monday dropped 10 patches addressing eight vulnerabilities in Mac OS X 10.5, also known as Leopard. One patch addresses a Tiger flaw that was described on the Month of Apple Bugs web site almost a year ago.

Among the highlights:

Apple issued a patch for an arbitrary code execution flaw that impacts Mac OS X 10.4.11 and its OS X Server counterpart. This directory services issue (CVE-2007-0355) was described on the Month of Apple Bugs web site. Last March Apple fixed a bunch of vulnerabilities that seemed to have vindicated MOAB hackers. It appears Apple let one vulnerability from that project slip through.

Here's Apple's description:

A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.

Aside from that MOAB flaw in Tiger, the bulk of Apple's patch haul was designed to plug Leopard.

By the CVEs for Leopard:

  • CVE-2008-0035: Affects Leopard and its server counterpart. Apple says "accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution." The issue resides in Safari's handling of URLs. The doesn't affect any system prior to Mac OS X v10.5.
  • CVE-2008-0038: Apple issued a patch so an application removed from the system couldn't be launched via Time Machine's backup. Obviously this could get sticky if you had a malicious program that was stored in Time Machine. Talk about bad memories. Affects Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1.
  • CVE-2008-0040: This flaw addresses an NFS issue in Leopard OS X and Server. Apple noted: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.
  • CVE-2008-0041: Apple patched a parental control issue. In a nutshell, a remote user could find machines with parental controls, request an unblock and swipe information. Affects Leopard OS X and Server.
  • CVE-2007-4568: Multiple vulnerabilities were found in the X 11 X Font Server in Leopard.
  • CVE-2008-0037: Another X11 issue. This flaw meant that you couldn't change security preferences. Apple said: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.

CVEs for both Leopard and Tiger:

  • CVE-2007-6015: This one affects both Leopard and Tiger. "A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests," says Apple.
  • CVE-2008-0042: Apple patched its Terminal app, which could allow an arbitrary code execution if a user viewed an maliciously crafted web page.

CVEs for Tiger:

CVE-2008-0039: Apple patched an arbitrary code execution flaw in its mail application for Mac OS X v10.4.11 and Mac OS X Server v10.4.11. Apple says:

An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message.

Topics: Apple, Hardware, Operating Systems, Servers, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Apple, Microsoft

    Same Sh|T Different Day
    Mectron
    • So fixing bugs is bad?

      Perhaps you prefer denial.
      Fred Fredrickson
      • You don't understand....

        And it's not your fault few people have heard of the great and wonderful Mectron. He
        is the ONE and only coder that has never released anything with a flaw in it. No
        matter how complicated, no matter how large a project the great and wonderful
        Mectron is to date flawless and perfect. Of course he's never actually released
        ANYTHING yet but hey his batting record is a 1000 so far...:P

        Pagan jim
        James Quinn
        • note to self:

          note to self:

          please refrain from drinking when reading ZD Net talkbacks. It sucks having to clean
          coffee from a keyboard and monitor.
          CMKRNL
          • HFS

            Dude, I just spilled coffee on my KB for the 1st time in my life right after reading this...

            No joke.

            what the nuts!?
            tikigawd
  • Obviously...

    ...a WinTel plot.
    IT_Guy_z
  • RE: Apple issues patches for Leopard and MOAB flaw from 2007

    Really. What took Apple so long to fix the CVE-2007-0355?
    Get Apple is making Microsoft look fast in fixing bugs.
    phatkat
    • It's all part of a very clever plan.....

      With so very much going so very well for Apple one might worry about the "Fates"
      those dark demons who bring tragedy to those who are doing fine. So Apple and
      Jobs being as clever as he is decided to give the "Fates" something every now and
      again to throw their focus off. Now the fates talking amongst themselves can point
      as say "Look Apple stumbled a bit......sigh. I guess there is no need to bring a
      plague such as a Balmer/Jobs switcharoo"

      Just remember and shhhhhhhhhh it's all part of the plan.....:P

      Pagan jim
      James Quinn
  • WHAT?

    Patches for an Apple? Surely, this must be some kind of sick joke. Everyone KNOWS Apple is perfect. (smirk smirk)
    Crestview
    • Everyone I know has made that claim. No it does not

      go that way at all. No one I know has ever made that claim. Yeah thats the ticket.

      Pagan jim
      James Quinn
  • RE: Apple issues patches for Leopard and MOAB flaw from 2007

    >>>One patch addresses a Tiger flaw that was described on the Month of Apple Bugs web site almost a year ago.<<<

    Why so long? Did it take them that long to figure out how to fix it?
    joe6pack_z
    • seems like it...

      seems like they are slow at many things... it took them like 6+ months to make an
      updated driver for Geforce 8600s that didn't have major OpenGL problems where
      some software couldn't even run.
      doh123
      • Blasphemy!

        Apple is perfect.

        Shut yo mouth!
        tikigawd