The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows).
The OS X update covers flaws in 31 different components, including several known (and dated) issues in open-source packages used by Apple. These include vulnerabilities in Apache, BIND, CUPS, OpenSSL, PHP and Kerberos.
The update also fixes what Apple describes as "arbitrary code execution" vulnerabilities in ATS, CFNetwork, CoreGraphics, Cscope, Disk Images and Spotlight.
The full list of affected software, components and discussion of risk is available on Apple's support site.
Separately, Apple shipped new versions of its Safari 3 and Safari 4 (beta) browsers to cover the following issues:
- libxml (CVE-2008-3529) A heap buffer overflow exists in libxml's handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Affects both Mac OS X and Windows XP and Vista.
- WebKit (CVE-2009-0945) A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking. Apple credits security researcher "Nils" for reporting this issue, suggesting it is the flaw exploited during this year's CanSecWest contest.