Apple delivered a security update for Tiger and Leopard Tuesday with at least 80 patches addressing multiple vulnerabilities.
You know it's a big patch haul from Apple when you read the advisory and:
- You're not sure where to begin;
- You're IMing fellow security folks (Ryan Naraine) to count CVE numbers for some clue of how many patches are included.
Depending on who was counting I've come up with about 85 CVE numbers, but there are some duplicates in there. Extract those and you still get a tally of roughly 80. The OS X update follows a Safari security update. Looks like Apple is updating its product line today.
Among the highlights:
- ClamAV (CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728): This fix addresses multiple vulnerabilities in Mac OS X Server v10.5.2. Apple says: "Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution."
- CUPS (CVE-2008-0047, CVE-2008-0053, CVE-2008-0882): Apple updated Mac OS X v10.5.2, Mac OS X Server v10.5.2 for "multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges."
- Emacs (CVE-2007-5795): This update for Mac OS X v10.5.2 and Mac OS X Server v10.5.2 addresses a vulnerability that allows safe mode checks in Emacs to be bypassed.
- OpenSSH (CVE-2007-4752): The update for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2 addresses a flaw in OpenSSH that allows a remote attacker "to execute arbitrary code with elevated privileges."
- Printing (CVE-2008-0996): Apple updated Mac OS X v10.5.2 and Mac OS X Server v10.5.2 to thwart a print queue issue. Apple says: "An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5."
- System Configuration (CVE-2008-0998): The update covers Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The problem: "The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects."