Apple patches security holes in Mac OS X

A bundle of patches for Leopard and Snow Leopard includes a fix for a zero-day flaw that could allow a hacker to take over a browsing session
Written by Tom Espiner, Contributor

Apple has released six patches for Mac OS X and Mac OS X Server, including one for a zero-day flaw that could allow a hacker to hijack a web-browsing session.

The zero-day vulnerability, which was made public in November 2009, lies in an authentication gap in TLS (Transport Layer Security) and SSL (Secure Sockets Layer) encryption protocols, Apple said in an advisory on Tuesday.

TLS and SSL protocols, commonly used by banks and online retailers to protect transactions, use a series of 'handshakes' to negotiate the session between the server and the client. As the protocols allow renegotiation of the session, an intruder can insert code undetected. The protocol-level breach could allow the attacker to take over a browser session and successfully impersonate the user, in what is known as a man-in-the-middle, or MITM, attack.

Apple has fixed the problem by disabling renegotiation in OpenSSL. As the Internet Engineering Task Force standards body is in the process of updating the protocol, the new patch is a preventive security measure, the company said.

All the Apple patches are for Mac OS X Leopard (10.5) and Snow Leopard (10.6).

Two of the patches deal with system-level image components. ImageIO is vulnerable when a malicious Tiff file is viewed, while a maliciously crafted DNG image could compromise a system through a bug in Image RAW. Both flaws could lead to an attacker taking over a compromised system, said Apple.

Another fix addresses an buffer-overflow issue in CoreAudio. If a user plays a malicious MP4 audio file, it could crash the application or allow an outsider to run code on the affected machine, according to the advisory.

The patch bundle, which is available via Apple's software updates or its download site, also includes a fix for an issue in component-level Cupsd that could be used to create a denial-of-service attack.

The bundle also covers multiple vulnerabilities in the Adobe Flash Player plug-in, which could allow a hacker to control a system that has visited a maliciously crafted website. Apple said the issues are resolved by updating the Flash Player plug-in to version 10.0.42.

Editorial standards