14 DAY TRIAL // With the release of Mac OS X 10.5.7, Apple has included security fixes for numerous areas of the Mac OS. A separate Security Update 2009-002, available for OS X 10.4 (Tiger) users plugs holes in areas like Apache, CFNetwork, WebKit and X11. The download is free and can be immediately acquired, right here, on Softpedia.
A complete list of areas in which security issues have been addressed in Mac OS X is available below.
Apache, ATS, BIND, CFNetwork, CFNetwork, Cscope, CUPS, Disk Images, enscript, Flash Player plug-in, Help Viewer, iChat, International Components for Unicode, IPSec, Kerberos, Kernel, Launch Services, libxml, Net-SNMP, Network Time, Networking, OpenSSL, PHP, QuickDraw Manager, ruby, Safari, Spotlight, system_cmds, telnet, WebKit and X11.
"For Apple, updates this size are now becoming the norm," Andrew Storms, director of security operations at nCircle Network Security, said, according to a piece at PC Advisor. More than a third of the 67 vulnerabilities were labeled with Apple's 'arbitrary code execution' description, the same source reveals, meaning the flaws are critical in nature, although Apple doesn't highlight this aspect. Critical issues can be exploited to compromise a computer.
Among the included fixes is a patch to the Flash Player plug-in, which Adobe covered in February without fail. Apple issues its own updates for the player on the Mac platform. According to the Mac maker, multiple vulnerabilities exist in the Adobe Flash Player plug-in. The issues can be addressed by updating the Flash Player plug-in on Mac OS v10.5.x systems to version 10.0.22.87, and to version 9.0.159.0 on Mac OS X v10.4.11 systems, according to a support document over at Apple's website. The update is included with OS X 10.6.7 or Security Update 2009-002.
A Networking issue is also being addressed on Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6 (Tiger not affected), where a remote user may be able to cause an unexpected system shutdown.
OpenSSL issues also affected all the above-mentioned platforms, but also Mac OS X v10.4.11 and Mac OS X Server v10.4.11. According to Apple, a "man-in-the-middle attacker may be able to impersonate a trusted server or user in applications using OpenSSL for SSL certificate verification." This has happened because several functions within the OpenSSL library incorrectly checked the result value of the EVP_VerifyFinal function, the company explains. By properly checking the return value of the EVP_VerifyFinal function, Apple has been able to patch this hole as well.
As revealed earlier today, Safari has also been the subject of a few internal changes, with updates to Safari 3 and 4 (public beta) plugging three security issues. One of the vulnerabilities is described by Apple as such:
Multiple input validation issues exist in Safari's handling of "feed:" URLs. Accessing a maliciously crafted "feed:" URL may lead to the execution of arbitrary JavaScript. This update addresses the issues by performing additional validation of "feed:" URLs. These issues do not affect systems prior to Mac OS X v10.5. Credit to Billy Rios of Microsoft Vulnerability Research (MSVR), and Alfredo Melloni for reporting these issues.
Mac Tiger users can download the latest security updates from Apple by using the appropriate links below. Leopard users can secure their systems by downloading and installing the Mac OS X 10.5.7 incremental update.
Download Apple Security Update 2009-002
Download Mac OS X 10.5.7 Client
Download Mac OS X 10.5.7 Server