Apple close 21 holes with 10.5.6
Apple has released the Mac OS X 10.5.6 update, closing 21 holes in the operating system. The security content notes for 10.5.6 lists all the issues resolved. The most prominent of these fixes is for the Adobe Flash Player Plug-in. It is related to Adobe's November 5th security alert and fixes multiple issues with the Flash Player Plug-in that allowed for arbitrary remote code execution. Apple's remedy is simply to include an updated version of the plug-in in their update. Further browser related fixes listed include, expanding the list of files marked as unsafe when downloaded and improving validation of domains when accepting cookies.
Other fixes outside the browser include, blocking a denial of service when viewing PDF documents with manipulated fonts, a heap buffer overflow in CoreGraphics, an infinite loop which could lead to crashing when dynamic libraries were mounted over NFS, integer overflows in
strfmon and systems shut-downs when maliciously crafted ISO files were mounted.
As well as security fixes, 10.5.6 has numerous other improvements, including an update to MobileMe syncing, reducing the time contact and calendar changes take to get to the cloud service, from fifteen minutes to one minute, better Time Machine reliability, and a new trackpad system preferences for Mac laptops. Full details of these changes are available in the general release notes. The updates can be downloaded manually, or installed through Software Update automatically. Users who are still on Mac OS X 10.4 also have a security update including all the appropriate security fixes from the 10.5.6 update; this is available for Intel and PPC systems as separate updates.