The fourth major security update for 2011 is now available for Mac OS X customers. It’s not just Snow Leopard users that must install the update, but OS X 10.5 Leopard users as well, Apple reveals.
It provides security fixes in core areas of Mac OS X, including AirPort, App Store, ATS, Certificate Trust Policy, ColorSync, CoreFoundation, CoreGraphics, FTP Server, ImageIO, International Components for Unicode, Kernel, Libsystem, MobileMe, MySQL, OpenSSL, QuickLook, QuickTime, and others.
Apple learned that in certain circumstances, App Store may log the user's Apple ID password to a local file. However, that file is not readable by other users on the system, Apple said.
Nonetheless, the problem needed addressing, and Cupertino did so through improved handling of credentials. Both Leopard and Snow Leopard users are affected.
For MobileMe, the tech giant acknowledges that an attacker with a privileged network position may read a user's MobileMe email aliases. Apple explains why, and how this issue is addressed:
“When communicating with MobileMe to determine a user's email aliases, Mail will make requests over HTTP. As a result, an attacker with a privileged network position may read a user's MobileMe email aliases. This issue is addressed by using SSL to access the user's email aliases.”
This issue only affects Snow Leopard customers, Apple said.
A memory corruption issue also exists in QuickLook's handling of Microsoft Office files. Apple learned that downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.
The company fixes this in Security Update 2011-004 and outlines that it does not affect systems prior to Mac OS X v10.6. In other words, Leopard users remain unaffected.
Multiple QuickTime issues have been addressed as well. In all cases, viewing a maliciously crafted video file may lead to an unexpected application termination or arbitrary code execution, Apple said.