Mac OS X Patch Day: 40 security flaws fixed

Mac OS X Patch Day: 40 security flaws fixed

Summary: Apple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks.

SHARE:

40 security flaws fixedApple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.

The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks.

The more serious vulnerabilities include:

  • Apache: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364) Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery.  Note: Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.
  • ClamAV:  (CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914) Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution.
  • ColorSync CVE-2008-3642) A buffer overflow exists in the handling of images  with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2008-3641) A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges.
  • libxslt (CVE-2008-1767)  A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.
  • MySQL Server (CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079) MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PHP (CVE-2007-4850, CVE-2008-0674, CVE-2008-2371) PHP is updated to  version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PSNormalizer (CVE-2008-3647) A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution.
  • QuickLook (CVE-2008-4211) A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.

Topics: Security, Apple, Hardware, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • RE: Mac OS X Patch Day: 40 security flaws fixed

    Installed this on one 10.5.5 and three 10.4.11 systems and experienced no problems yet.
    I see that you missed several other fixes:

    Finder

    CVE-ID: CVE-2008-3643

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: A file on the Desktop may lead to a denial of service

    Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

    Networking

    CVE-ID: CVE-2008-3645

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: A local user may obtain system privileges

    Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.

    There are more and Apple has all of the details at this link:
    http://support.apple.com/kb/HT3216
    phatkat
  • RE: Mac OS X Patch Day: 40 security flaws fixed

    Interesting that you refer to clamX issues since it is not a
    Apple product.. but thanks for such a great listing of what
    was addressed, now just do the same for MS updates as
    well.. With the zeal and headlines..
    thor0128
  • RE: Mac OS X Patch Day: 40 security flaws fixed

    It seems to me that I have seen the number of Apple patches multiply ever since Apple changed to the Intel processor.

    Fact? or just my imagination?

    Anyone else notice?
    Update victim
    • The chip may not be the problem...

      Almost all of these patches have a PowerPC version as well as an Intel version; it may be that they are getting better at finding these vulnerabilities.
      kg6ygs@...
      • Chip Isn't The Problem - This Time

        I've put the patch into my MacBook Pro, but I also put it in
        my PowerBook G4. So this patch did do both Intel and PPC.
        ManoaHI
  • Bugs and vulnerabilities everywhere.

    All code has vulnerabilities. Its just whether you hide your head in the sand or do something about it. MS is not perfect and Windows users are continually reminded by the drumming of the Woz followers.

    So its time to take the rose colored glasses off and join the rest of the world. The code you run on the Macs is no different than any other code on any other platform. It has bugs. It can be hacked. Embrace the fact that Apple is now somewhat willing to admit such and that they are trying to fix the problems.

    Now if we can get rid of the Mac commercials as they are past their time and now having a negative effect with everyone I talk to.
    dave01234
    • Yes, but...

      It would seem when you see Apple patching things there isn't any systematic or widespread active exploits, but with Windows you do (by the time the patch appears).
      zkiwi
      • And why is that?

        Why post something like that, w/o offering an explanation? <br><br>
        Please provide the evidence that Mac exploits are even attempted in the wild by cyber criminals and terroists. Can you even do that? <br><br>
        Can you name any mass e-mail with Mac intended social engineering attacks? <br><br>
        Can you prove at all, that Macs are deflecting attacks every single day, as are Microsoft machines and networks? <br><br>
        Can you prove it's because the cyber criminals are shaking in their collective boots over the thought of trying to attack the superior Mac? <br>
        The Mac that gets more patches than any other OS distribution, period. The only system that gets security patches in "MEGA" and "SUPER" form due to the unprecedented high numbers of fixes in each of these frequent "monster" distributions. <br><br>
        Come on, the world is waiting for your conclusive proof?? <br><br>
        And even if the Mac were more secure - which it's not even close to Vista which even Mac security experts blog as more secure from the ground up with many technological advancements far beyond the Mac - it provides little peace of mind when you realize that Macs are spewing vapors with the "mother of all carcinogens" or benzine, into your lungs everytime you sit down at your Mac. Nice going Steve. Can you say, MASSIVE RECALL? <br><br>
        Any you surely would agree with the science behind the report, since it originates from the EU. You have proven a total blind allegiance to all things EU long ago. <br><br>
        Mac, the ultimate security. How can an exploit affect you....if you are dead?
        xuniL_z
    • @ Dave: Code is NOT the same

      True. All code regardless of platform has
      vulnerabilities.

      The rest of your statements are wrong. Here is why:


      [b]1)[/b]The quality of code is intrinsically better
      on the Apple platform. There are at least 2 reasons
      for this:
      [b]I.-[/b] Apple got rid of all legacy code 8 years
      ago and started from scratch on OS X with efficient,
      refined and powerful new code:

      http://developer.apple.com/macosx/

      [b]II.-[/b] Apple is leveraging Open Source for use in
      large part of OS X:

      OS X Kernels
      UNIX BSD kernel and Carnegie Mellon University's Mach
      kernel:
      http://www.apple.com/macosx/technology/unix.html

      Open Source:
      http://www.apple.com/opensource/
      http://developer.apple.com/opensource/index.html


      [b]2)[/b] This combination makes OS X much more
      resilient to big problems such as malware and viruses.
      In fact, OS X is 8 years old and in all this time
      there has been [b]zero viruses[/b] and about 2 trojans
      (vulnerabilities that that were patched up since).

      [b]3)[/b] Apple has always been releasing code updates
      in OS X and patching vulnerabilities as they are
      found. I don't know where you get the idea that Apple
      or anyone else says OS X is 100% problem-free.

      The Apple commercials are quite effective and having a
      positive impact in the market. People are now
      beginning to realize there are better alternatives to
      Windows.
      fox.kenji
      • Wow, so somehow you think the word "UNIX"

        makes an OS better? By what metrics? Most people would wince if they realized their platform was receiving security updates in the hundreds at a time and understood the implications. These MEGA and MONSTER patch distributions are the sign of a better OS? How is that? <br><br>
        I really don't believe the intel version of OS X was a re-write, if that's what you mean. It was ported from PPC to intel. Still BSD and other assorted components that Apple didn't write, they only support it. <br><br>
        The XNU kernel they aquired (surprise, they didn't write it. ;) ) has the MACH microkernel as a component, which of course was developed at CMU many moons ago. I don't believe BSD is supporting any further advancement of the MACH microkernel but i could be wrong. I don't believe so. <br>
        Just read Ars Technia's review of Leopard, not overly glowing for a respected, but Apple leaning, publication. <br>
        The judgement that the 32 bit kernel (OS X is still not 100% 64 bit, never has been) is at end of useful life is sobering for Apple enthusiasts. At least the MACH component needs replaced. I'm sure they'll find something from somebody they can use. <br><br>
        To me, Apple is more of a VAR than a hardware and software company. They do design their boxes but they use standard components used in all PCs from other OEMs. (i think apple is also an OEM for windows due to the high volume of Macs that get windows installed and used via bootcamp or parallels ). The software comes from other sources. The OS is BSD, the kernel was aquired, the GUI was taken from Xerox code. Sure it's been added to, but any developer knows it's much easier to extend existing work, once the architecture is understood (I question if it fully is sometimes due to that massive number of patches so frequently). <br><br>
        So Apple is really a VAR for BSD, XNU and the ODM that builds the machines, apparently with poor QA as has been demonstrated with major gaffs over the years, and most currently the "stinky Mac". <br><br>

        And the industry, at least the objective part that is not bloggers and writers that are one of the Mac's niches, so hence why you rarely see OS X taking a beating here, while Vista was pummeled daily, mostly undeservedly so, considering underneath all of the bashing is a truely rewritten OS using SDL layered approach to security and it is very secure. It is very stable and very fast with reasonable RAM. It is common knowledge Vista is faster than Leopard head to head on comparable hardware. <br><br>
        the industry, the bloggers teh pundits the ABM crowd, Apple has called on MS to make an OS with more security than XP, even though XPSP2 is a very fine OS that matches up with any other. there are many metrics in measuring an OS's worth. They also said for years that MS needed to cut lifesupport to backward compatibility cause it burdens the system with a lot extra code. <br><br>
        MS did basically that, well they kept the compatibility and just cause ABMers say that almost all XP apps and drivers won't run on Vista doesn't make it untrue that they most certainly will in compatibility mode, which takes 2 extra seconds when installing the driver or app. <br><br>
        I can understand why people dislike the leadership of MS, but the company has great people and it's really been pushed too far. <br><br>
        But karma has a way of always catching up. :)<br><br>
        I just hope nobody gets seriously damaged by the recent claims all over Mac boards of the foul smelling vapors coming out of certain new Macs. Very strong and not tolerable in a closed room, even a big room. A French scientist has claimed he found Benzine in the vaopr burning off the board somewhere in higher than allowable amounts. I pray that is not true, I would never wish that on anyone. <br>
        The iPhone screen problems are still there....we'll see over time. :)
        xuniL_z
      • not quite right Fox

        1) The quality of code is ntrinsically better on the Apple platform....
        >>>> True. Look at Quicktime on MS. Is it due to a lack of understanding, deliberate or just sloppy code?? Pick one.

        2) In fact, OS X is 8 years old and in all this time there has been zero viruses and about 2 trojans
        >>>> I don't count these things but most of that's still due to the percentage in use vs MS.

        3) I don't know where you get the idea that Apple or anyone else says OS X is 100% problem-free.
        >>>> I don't and didn't. As with most hardware and software the more that goes out the door into users (testers) hands the more problems you find. What was once perceived and touted to be so bug free is now receiving patches regularily. My wife is getting rid of her iMAC. Too many times the system locks up (cursor spinning) and the only thing that fixes it is a reboot. Yes its up to date with patches. Standard apps on it, nothing more.


        The Apple commercials are quite effective....
        >>>> Like the "Hey dude you're getting a Dell" and other commercials they get stale after awhile. Just because the donut tasted great last week doesn't mean you should be serving the same batch this week or the following week.

        One of my customers is getting ready to move buildings. They will be requiring more network hardware to accomodate all the users. Interestingly all the MACs (maybe 10%) will be on their own VLAN. He doesn't want any chances of interference with the rest of the systems/servers. And he likes MACs.
        dave01234
  • RE: Mac OS X Patch Day: 40 security flaws fixed

    Wow! 40 security flaws fixed! Big bleeping deal! My beloved PXLinuxos, which for me is the best OS available, receives regular patches and updates, sometimes daily. Every OS does. Doesn't mean they are bad or defective. Just means they are getting better. My Linux, your WinXP/Vista, your OS X. Why is an OS getting patched and/or updated newsworthy? Slow news day?
    richdave
    • Yes everyone knows there's always one more bug

      Except Mac users. After years of claiming they're inherently secure, their code is the best (what a joke considering their last century development systems), Vista is a dog and their 5% of the global market makes them sonehow better than everyone else.

      So ramming into their heads that all OSs need updates is worthwhile. It may stop some of the whines the next time Apple puts out another ancient *nix system with a different UI and claims it to be state of the art.

      So the thread is here to make up for years of abuse ;-)
      tonymcs@...
  • only 40 security holes?

    :-)
    qmlscycrajg
  • WHAT!!???

    pOSX is perfect, they make this stuff up. Ignore it.
    Crestview
  • RE: Mac OS X Patch Day: 40 security flaws fixed

    Really? The old Xerox Parc canard? You do realize that they PAID for the right to observe
    with Apple stock, right? Oh, and Mac OS X 10.5 bears almost NO resemblance to the
    original Macintosh, right?

    Come on.

    Apple is to be lauded for losing the Not Invented Here sentiment and using standard
    OEM equipment. I mean you can't have it both ways. If they build everything themselves,
    the windows zealots moan about how closed Apple is. Once it can be seen that Apple
    uses (mostly) off the shelf stuff, then their slammed for being a glorified VAR.

    Seems you just want to criticize Apple. Well, fine, but that sure doesn't lend any
    credence to any complaints you have if you're complaining for the sake of complaining.

    The benzine outgassing is a serious issue that I'd be much happier if Apple was taking a
    more forthright role in understanding and acting on. I do think (as I've experienced in
    the past as someone who's built bleeding edge Mac systems) that Apple is working
    behind the scenes to resolve the issue. I've never liked that way of doing things, frankly.

    All the passion regarding platforms is just so danged misplaced. I've built solutions on
    several platforms and I just go with what works best. Period.

    Sweating platform is just silly.
    MacKeyser
    • Why is it we always hear this coming from an Apple user

      "I'd be much happier if Apple was taking a
      more forthright role in understanding and acting on." You can Xerox this on any of there problems of late. Iphone 1 and 2 Leopard, MobileMe Snow Leopard MacBook Pro QuickTime Safari Itunes..... The list is long and shameful.
      Comeon this is a vendor nothing more. Hold their feet to the fire on everything. Demand action and force change. Otherwise this "remarkable" growth will be nothing more than a mirror off what Apple accomplished before. Great growth with a couple of products then they hit their creativity end and it is a fast wicked slide back. We have seen this before, and really we are seeing this again.
      By the way OSX has just be found to have over 200 different variants of Malware, almost all socially engineered kind. Perfect for exploitation on a group of computers whos users deny their vulnerability. Google it folks and learn.
      CrashPad