X
Business
Home Business Companies Apple

Mac OS X dirty dozen: Apple plugs critical security holes

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.
Written by Ryan Naraine, Contributor

securitymac.png
Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities.

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.

With Security Update 2010-001, Apple also fixes flaws in the Adobe Flash Player plug-in that ships with the operating system.

Here's the skinny of the vulnerabilities:

followmeontwitter.png

  • CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
  • Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
  • ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG
  • images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
  • OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available here. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.

The update is being distributed via Apple's Software Update mechanism.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

Placeholder product image alt text

The best AI image generators to try right now

Microsoft Copilot

The best AI chatbots: ChatGPT isn't the only one worth trying