/>
X
Business

Mac OS X dirty dozen: Apple plugs critical security holes

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.
Written by Ryan Naraine, Contributor on

Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities.

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.

With Security Update 2010-001, Apple also fixes flaws in the Adobe Flash Player plug-in that ships with the operating system.

Here's the skinny of the vulnerabilities:

  • CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
  • Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
  • ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG
  • images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
  • OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available here. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.

The update is being distributed via Apple's Software Update mechanism.

Editorial standards

Related

These are my 5 must-have devices for work travel now
ipad-mini-firewalla-purple-macbook-air

These are my 5 must-have devices for work travel now

Twitter turns its back on open-source development
elon-musk-twitter

Twitter turns its back on open-source development

Southwest, United, and American Airlines have a new enemy -- the internet's ugliest site
Airplane wing in flight

Southwest, United, and American Airlines have a new enemy -- the internet's ugliest site