14 DAY TRIAL // Yesterday, February 12, 2009, Apple quietly released a number of security updates for all users of Mac OS X Tiger and Leopard, Client and Server, as well as two Java updates and a new version of Safari for Windows users. With no exception, the updates are 100 percent security-aimed, with the 2009-001 Security Update for Mac OS X containing the most number of patches.
As disclosed earlier today, Apple's Support section reveals that the Security Update 2009-001 for Leopard and Tiger “is recommended for all users and improves the security of Mac OS X.” Apple also confirms that “previous security updates have been incorporated into this security update.” Talking about Security Update 2009-001 Server, Apple again notes that installing the new software is recommended for all users of OS X Server, as it improves the security of their system.
In the usual Apple manner, the security update is accompanied by a knowledge base article detailing the vulnerabilities and their respective patches included in the new software update.
For example, an issue within AFP Server would allow a user (with the ability to connect to the server) to be able to trigger a denial of service. But how? Well, Apple has learned that “a race condition in AFP Server may lead to an infinite loop. Enumerating files on an AFP server may lead to a denial of service,” the company explains. Therefore, the present update “addresses the issue through improved file enumeration logic. This issue only affects systems running Mac OS X v10.5.6,” according to the Mac maker.
Another patch is aimed at Certificate Assistant. Apple explains that “a local user may manipulate files with the privileges of another user running Certificate Assistant.” For this issue, the company blames an insecure file operation in Certificate Assistant's handling of temporary files.
“This could allow a local user to overwrite files with the privileges of another user who is running Certificate Assistant,” Apple has found. “This update addresses the issue through improved handling of temporary files.” The Mac maker assures that users running Mac OS X lower than 10.5 are not affected by the vulnerability.
Recent tests also revealed that multiple vulnerabilities also exist in ClamAV 0.94, the most serious of which may lead to arbitrary code execution, Apple says. The 2009-001 Security Update allegedly addresses the issues by updating ClamAV to version 0.94.2. Mac OS X users should note that ClamAV is distributed only with Mac OS X Server systems. For more details on ClamAV, readers are encouraged to head over to this address.
Apple has also recently discovered that passwords supplied to dscl are exposed to other local users. Since the dscl command-line tool requires that passwords be passed to it in its arguments, those passwords were prone to being exposed to other local users. “Passwords exposed include those for users and administrators,” Apple says, pointing out that the 2009-001 Security Update “makes the password parameter optional, and dscl will prompt for the password if needed.”
These are just a few of the patches detailed by Apple on the Support section of its site. For the full scoop on Security Update 2009-001, you can visit Apple here. To download the latest security update from Apple, use the links below, or your Mac's Software Update mechanism (Apple menu -> Software Update).
Readers are encouraged to return with their comments, should they see differences in OS behavior after installing the 2009-001 update.
Download Security Update 2009-001 Tiger Client (Free) Download Security Update 2009-001 Tiger Server (Free)