Mac OS X Leopard mega-patch plugs 41 security holes

Mac OS X Leopard mega-patch plugs 41 security holes

Summary: It's Patch Day in the land of Mac OS X Leopard.Apple today shipped Security Update 2008-003 (Mac OS X 10.

SHARE:

Mac OS X Leopard mega-patch plugs 43 security holesIt's Patch Day in the land of Mac OS X Leopard.

Apple today shipped Security Update 2008-003 (Mac OS X 10.5.3) with fixes for a wide range of serious vulnerabilities that could put users at risk of information disclosure, denial-of-service and remote code execution attacks.

The update (see Techmeme discussion) includes a fix for the iCal vulnerabilities that were publicly disclosed by Core Security last week.  The iCal bugs could be exploited to crash iCal or execute arbitrary code via malicious calendar updates or by importing a specially crafted calendar file.

[ SEE: iCal vulnerabilities put Mac OS X users at risk ]

Core Security's warning mentions three separate vulnerabilities but Apple's update only includes a fix for a single bug:

A use-after-free issue exists in the iCal application's handling of iCalendar (usually ".ics") files. Opening a maliciously crafted iCalendar file in iCal may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by improving reference counting in the affected code. This issue does not affect systems prior to Mac OS X v10.5.

In all, Apple documents at least 41 vulnerabilities in this mega update.  They include seven (7) different vulnerabilities in Apple's implementation of Apache, the most serious of which may lead to cross-site scripting attacks.

[ SEE: Adobe Flash zero-day exploit in the wild ]

The Flash Player Plug-in also gets a makeover to correct seven (7) bugs could could lead to arbitrary code execution via booby-trapped Flash content.  This update includes a fix for the flaw that's currently being exploited in drive-by malware attacks.

Code execution holes are also fixed in AppKit's processing of document files; Apple Pixlet Video's handling of files using the Pixlet codec; Apple Type Services server's handling of embedded fonts in PDF filesp; CoreFoundation's handling of CFData objects; and CoreGraphics' handling of PDF files.

The Mac OS X Leopard patch also fixes flaws in  CoreTypes, CUPS, Help Viewer, International Components for Unicode, Image Capture, ImageIO, Kernel, LoginWindow, Mail, ruby, Single Sign-On and Wiki Server.

Topics: Operating Systems, Apple, Hardware, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

158 comments
Log in or register to join the discussion
  • Apple programmers work in an odd fashion

    The Mac zealots constantly tell us that Apple is better because Apple releases bug fixes as soon as they are ready instead of once a month like Microsoft. What a coincidence that Apple developers finished half a gig worth of fixes all on the same day!! :)
    NonZealot
    • Hi NZ

      How many viruses are there out there for OS X, BSD, Linux
      and UNIX?

      How many for Windows?

      I seem to remember that the first group has a number
      between zero and 10. The second group is between
      100,000 and 200,000.

      I am a (retired) programmer - So a professional opinion -
      Windows will only get fixed when backward compatibility is
      finally abandoned. If MS does kill backward compatibility,
      their business is probably gone.

      A possibility would be to sand-box conventional Windows
      applications in their own memory spaces (Like Apple did
      with their "Classic" emulation layer, so that they could
      move on from their failing OS9 business.). Perhaps MS
      should also limit the old stuff to their own quarantined
      areas of disk and memory. Sorry, but band-aids like UAC
      are not going to fix it.
      Tim99
      • What, specifically, about backwards compatibility...

        ...needs to be addressed wrt to security? With the release of Vista Microsoft pretty much addressed it.
        ye
      • Other important questions

        How much consumer destkop marketshare is there between OS X, BSD, Linux, and UNIX?

        How much for Windows?

        I seem to remember that the first group has a number between 5% and 7%. The second group is between 90% and 95%.

        [i]I seem to remember that the first group has a number between zero and 10.[/i]

        Actually, every time OS X gains a tiny bit of marketshare, [url=http://blogs.zdnet.com/hardware/?p=1021] OS X gains more attention from malware authors. [/url]

        How long did an out of the box install of OS X survive the PWN2OWN contest once they put a human in front of the keyboard and started browsing the web?

        How long for Windows?

        I seem to remember that the first group lasted 2 minutes and the second group escaped unscathed.

        Many people make the argument that OS X is more secure because it's targeted less. I can actually buy that argument. You are saying that OS X is targeted less because it is more secure and that is easily proven false. From half gig patches to daily discoveries of gaping, critical, exploitable holes in Finder, Safari, and QuickTime, OS X is simply not safer by design, it is safer by obscurity. Unfortunately for all of you, OS X is getting less obscure by the day.

        [i]Sorry, but band-aids like UAC are not going to fix it.[/i]

        Yeah, what Windows needs is a security model that allows users to run with restricted rights and allows administrators to specify granular security permissions on OS resources. Wait, Windows has had that since 1993 with ACLs. Mac OS didn't get restricted rights until 7 years later and are still stuck with only being able to assign permissions for a resource to a single group.

        What Windows needs is a browser that runs with fewer permissions as the current user, just like some Linux distros. Wait, Windows got that with Vista. OS X still defaults to granting Safari (and all of its plug-ins) full write access to all of the current user's files. YIKES!!! How about you guys work on that one before pointing the security finger at others. :)
        NonZealot
        • The most important question.

          Which computing experience is more pleasant. Every other
          question are only appendages to that fundamental question.

          Apparently, it really, really, really bothers you that some people
          like their Mac computing experience so much they brag about
          how wonderful it is.

          That tells me you are a very insecure person.
          frgough
          • 90%+ believe the Windows experience is more pleasant

            Otherwise they would have switched. :)

            [i]Apparently, it really, really, really bothers you that some people like their Mac computing experience so much they brag about how wonderful it is.

            That tells me you are a very insecure person.[/i]

            Not quite. If Mac users stuck to saying [i]I love my Mac. It works really well for me.[/i] then I would reply with [i]Good for you! Glad you found something that works.[/i] However, Mac users lie and [b]that[/b] is what I jumped on in my original post. You can't say Apple is better than MS because Apple releases patches as soon as they are ready and then expect me to believe that Apple developers all finished half a gig of patches all on the same day. To me, a real sign of insecurity is someone who has to [b]lie[/b] in order to justify their decisions and that is what I pointed out in my post. If they were truly secure in their decision to buy a Mac, they wouldn't resort to lying about how bad the alternatives are. :)
            NonZealot
          • Wrong.

            In logic, the fallacy if called Appeal to Numbers.

            Most Windows machines are business purchases; individuals don't
            get to make that decision.

            Try again.
            frgough
          • Uh huh. And what of all the Macs being sold?

            Just another figment of our imagination?
            ye
          • Follow up

            And in the $1000 and up computer market, where individuals are
            actually making their own purchasing decisions, Macs have 66% of
            the market.

            So you lose twice.
            frgough
          • RE:Ye

            Most Mac purchases are in the consumer space. Most Windows
            purchases are in the corporate space.

            It's amazing this has to even be explained to you. But then again,
            zealots are not rational beings.
            frgough
          • @frgough: $1k [i]and retail[/i]

            Carefully specify the criteria and you can paint any picture you want. For example if we narrowed it even further and added the restriction "from the Apple store" we'd have 100% Macintosh sales.
            ye
          • Re: Ye

            No,

            the point is, when an individual's choice is a significant factor
            (retail, and $1000 k and up) 66% of those individuals choose
            Macintosh.

            When a Corporate bureaucrat makes the choice, an individual's
            preference is meaningless.

            The parameters are valid to the point being proven.
            frgough
          • @frgough: Then why the restriction?

            Why not just discuss the market as a whole?

            [i]The parameters are valid to the point being proven.[/i]

            Of course they are. Because they're what [b]makes[/b] the point. Without them there is no point. As I said: Add enough restrictions and you can make any point you want.
            ye
          • re: Ye

            OK, now you're just being deliberately stupid.

            The initial point is that because 90% of computers are
            Windows, people prefer Windows.

            The argument was that pure numbers = preference. So what is
            being measured is preference.

            That means you actually have to measure it. That means you
            have to find statistics where preference is the dominant factor.

            Corporate purchases do not reflect individual preferences, so
            corporate purchases have to be thrown out as irrelevant data
            points.

            So, what data points are most strongly influenced by individual
            preference.

            That would be retail. So we focus on retail, but not all retail.
            We need to toss out data points where price is the strongest
            motivator, not personal preference. That eliminates the low
            end, because we want to isolate to preference only, so we pick
            price points reflecting individuals for whom price is irrelevant.

            So we have high cost retail machines. In this space, the
            predominant deciding factor is personal preference, which is
            what the original poster with his 90% comment was trying to
            prove.

            So, now we have the correct space where preference is THE
            determining factor.

            And we find that 66% of those purchases where PREFERENCE is
            the determining factor go Macintosh.

            Your problem is, you don't know how to make valid data
            samples.
            frgough
          • @frgough: Again why restrict?

            Again I repeat: Put restrictions in place that result in the point you want to make and why would anyone be surprised you make said point?

            Slice it and dice it any way you wish. In the end the result was crafted by putting in place restrictions.
            ye
          • one flaw

            [i]So we have high cost retail machines. In this space, the predominant deciding factor is personal preference, which is what the original poster with his 90% comment was trying to prove.

            So, now we have the correct space where preference is THE determining factor.

            And we find that 66% of those purchases where PREFERENCE is the determining factor go Macintosh.[/i]

            I see your point, and I don't completely disagree with you. But there is one flaw to that argument.

            Let's say someone has $9000.00 to spend on a PC, but that person prefers Linux or Windows. He does not need to spend over $1000.00, so he buys a $900.00 machine. His preference has now been thrown out, simply because he did not need or want to spend over $1000.00.
            Badgered
          • RE: Badgered

            You raise a valid point. There may also be individuals who
            purchase the Apple for its hardware and run Linux or Windows on
            it instead of OS X.

            The space isn't ideal, but is probably the best you can get without
            doing a dedicated study.
            frgough
          • Re: Ye

            I stated why I made the restrictions. It isn't slicing and dicing. It's
            an attempt to create a valid data sample, so that you can make
            an accurate measurement.

            What you really don't like is the 66% number. If the result were
            66% Windows, you wouldn't even be complaining about "slicing
            and dicing" you'd be pointing your finger and laughing.

            Sometimes I forget that zealots cannot be reasoned with.
            frgough
          • @frgough: We all know why the restriction were put in place.

            No need to explain to us that they were put in place to influence the outcome.

            [i]What you really don't like is the 66% number.[/i]

            Actually I could care less. I'm not here to champion Windows over the Macintosh. A person should use what they want. I'm only here to call out the FUD ABMers find the need to spew.

            [i]Sometimes I forget that zealots cannot be reasoned with.[/i]

            Agreed. Which is why I won't be responding to you on this subject any longer. It's a waste of effort try to reason with you.
            ye
          • No, the real problem with that 66% ....

            ... number is it is a made up number. You selected one narrow segment of the market that demonstrated your point. You claim that most PC purchases are for corporations. That is not true. There are just as many consumer PCs as their are corporate. You further went ont to say retail because that eliminates all the online PC sales. On top of that you limit the choice further by putting the $1,000 hurdle in the way. The bulk of computers sold do not cost $1,000. In short your 66% number proves nothing more then Apples are expensive.
            ShadeTree