Apple releases Security Update for Mac OS X
Apple has released Security Update 2010-005 for its Leopard (Mac OS X 10.5.8 client and server) and Snow Leopard (Mac OS X 10.6.4 client and server) operating systems, resolving a total of 13 vulnerabilities – eight of them rated critical. Security Update 2010-005 addresses a buffer overflow in Samba that could allow an unauthenticated remote attacker to cause a Denial-of-Service (DoS) or even execute arbitrary code on a user's system. The issue isn't new, it was corrected in a Samba 3.3 update two months ago.
A heap buffer overflow in the way that CoreGraphics' handles PDF files which could lead to the execution of arbitrary code has been fixed. A second PDF vulnerability in the way that Apple Type Services' handles embedded fonts that could lead to code execution has also been closed. For an attack to be successful, a victim must first open a specially crafted PDF file. Other changes include fixes for network interception issues and a buffer overflow in PHP's libpng library.
Additionally, the update includes the 0.96.1 release of the open source ClamAV anti-virus toolkit used only by Mac OS X Server systems, closing several DoS vulnerabilities – ClamAV version 0.96.2 was released on the 12th of this month. The included version of PHP has also been upgraded from 5.3.1 to 5.3.2 (PHP version 5.3.3 came out in July). A full list of changes and updates can be found in the security advisory below.
All users are advised to upgrade to the latest release via the built-in Software Update function as soon as possible. Security Update 2010-005 requires Mac OS X 10.6.4 and is available to download from the Apple Support Downloads site (Client - 80.63 MB, Server - 136.86 MB).
- About Security Update 2010-005, security advisory from Apple.