In association with heise online

10 October 2008, 12:00

Apple plugs numerous holes in Tiger and Leopard

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apple has released Security Update 2008-007 to close numerous security holes in Mac OS X 10.4 (Tiger) and 10.5 (Leopard). Some of the holes only affect the server versions, including a critical hole in MySQL and ClamAV 0.93.3 and less critical vulnerabilities in the weblog and Tomcat web server functionality. Additional critical holes in PHP 4.4.8, the CUPS print service, ColorSync, libxslt, PSNormalizer, Quicklook and in the vim editor can be found both in the respective client and server versions, some of which could allow attackers to inject and execute arbitrary code into systems.

Among the less critical vulnerabilities in Mac OS X are several bugs in Apache, Postfix, launchd, in configd's EAPOLController plug-in and in the Script Editor. Apple's update also fixes a DoS vulnerability in the Finder which causes repeated Finder restarts when corrupted files were placed on the desktop. The update also prevents attackers from exploiting a hole in rlogin to elevate their privileges to root level.

In addition, Apple updated the sso_util single sign-on tool to accept passwords from files and renewed several root certificates. Depending on version and platform, updates are between 31 and 199 megabytes in size and can be downloaded both via the automatic update feature or from Apple's website.

Conspicuous this time is the high proportion of critical holes in open source components which have been closed for some time in the official versions but are only being resolved by Apple several weeks later. PHP 4.4.9, for example, has been available for two months and will be discontinued anyway. ClamAV 0.9.4 has been available for five weeks. A US-CERT advisory warned of the hole in Tomcat in mid August. While Apple has offered version 2.2.9 of the Apache web server for download since June 2008, it has only now incorporated it in the updates. However, only Leopard clients and servers contain this server and it is not enabled by default.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit