The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.
With Security Update 2010-001, Apple also fixes flaws in the Adobe Flash Player plug-in that ships with the operating system.
- CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
- CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
- Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
- ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG
- images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
- OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available here. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.
The update is being distributed via Apple's Software Update mechanism.