Apple closes security holes in Mac OS X
Apple has released security update 2008-001 and upgraded Mac OS X to version 10.5.2 – just before Microsoft begins distributing its monthly updates. The Apple update remedies a total of 11 vulnerabilities, three of which affected Mac OS X 10.4; six the new 10.5; and two both versions.
Attackers could use manipulated URLs to inject and execute program code in Safari on Mac OS X 10.5. A flaw in the NFS client and server also allowed code to be injected. Furthermore, Mac OS X 10.5 contains the vulnerable X Font Server (XFS) 1.0.4, which Apple has now updated to the patched version 1.0.5. The developers have also fixed the flaw that prevented changes to the X11 security settings to be adopted in order to prevent access for network clients.
On Mac OS X 10.4, Mail also executed commands that contained
file:// URIs when a user clicked on such a link; users were not warned in the process.
Terminal.app failed to correctly inspect transferred URLs both on Mac OS X 10.4 and 10.5, allowing attackers to execute arbitrary code. For the Samba server that runs on both operating system versions, the developers at Apple have integrated a patch to remedy a vulnerability that allowed arbitrary code to be injected.
Security update 2008-001 also closes a number of less critical holes. Local users could exploit a flaw in the Directory Services on Mac OS X 10.4 to escalate their privileges on the system. Open Directory's Active Directory plug-in was able to close
winbindd, which prevented all further NTLM authentication queries. On Mac OS X 10.5, applications could be launched even after uninstallation if Time Machine still had a backup of them stored.
In addition, Apple has also provided Leopard Graphics Update 1.0 for users who have upgraded their Mac OS X to version 10.5.2. This latest version updates graphics card drivers, thereby improving the system's compatibility and stability according to Apple. Mac OS X 10.5.2 also includes numerous improvements not related to security that increase both stability and speed. Apple has provided a list containing details for better overview.
The updates are already being distributed via the operating system's automatic software update function. Users who have disabled automatic updates can also download update packets from Apple. Users are advised to do so quickly because the updates remedy a number of vulnerabilities that can be exploited remotely.
- About the security content of Mac OS X 10.5.2 and Security Update 2008-001, Apple's security advisory.
- About the Mac OS X 10.5.2 Update, Apple's overview of the changes in Mac OS X 10.5.2
- Download (28.8 MByte) update 2008-001 for Mac OS X 10.4 (Universal)
- Download (16.7 MByte) update 2008-001 for Mac OS X 10.4 (PPC)
- Download (343 MByte) update to Mac OS X 10.5.2 (Combo)
- Download (382 MByte) update to Mac OS X Server 10.5.2 (Combo)
- Download (48.9 MByte) Leopard Graphics Update 1.0 for Mac OS X 10.5.2