In association with heise online

01 July 2008, 14:45

New bug fixes and security updates for the Mac OS X

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

It is now possible to download the newest incarnation of Apple's Mac OS X operating system. Version 10.5.4 resolves a number of bugs and, according to Apple, delivers improved performance and stability. Apple updates also close security holes present in Mac OS X 10.5.x (Leopard) and 10.4.x (Tiger).

The bugfixes, which Apple lists in its KnowledgeBase Document, relate primarily to iCal and Spaces, where a bug in the WLAN support gave rise to reliability issues. Problems with the Safari web browser loading secure web pages have also been resolved and Apple has fixed bugs in the Mac OS 10.5.x server.

With the 10.5.4 update and a separate package for Mac OS X 10.4.11, Apple has dealt with a number of bugs that compromised system security. Some security fixes apply to Mac OS X 10.4.11 only. One of these relates to a bug (CVE-2008-2308) that allows an attacker to use maliciously crafted volume mount information to terminate an application and execute arbitrary code. Apple is introducing additional validation for downloaded files to prevent arbitrary code execution while download links are being validated (CVE-2008-2311). Other bugs that have been corrected concern the extension of local user account permissions (CVE-2008-2313) and various bugs in Tomcat.

Only Mac OS X 10.5.x was affected by security holes, and Apple has now closed these. One such is CVE-2008-2310 in c++filt -used to demangle C++ and Java symbols - which an attacker could use to execute arbitrary code. Moreover, under certain circumstances a user with physical access to a system may be able to access the system without entering a password (CVE-2008-2314). Other bugs that have been fixed relate to WebKit's handling of JavaScript arrays (CVE-2008-2307) and the termination of applications by maliciously crafted UDP packets (CVE-2007-6276).

Apple has fixed other security bugs in Mac OS X 10.4.x and Mac OS X 10.5.x. The system now warns of potential security risks when xht and xhtm files are opened (CVE-2008-2309), and a bug in the SNMPv3 validation process (CVE-2008-0960) and in the handling of SMB packets (CVE-2008-1105) as well as a number of other bugs (CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726) have now been fixed.

The updates are available for both the client and server versions of Mac OS X 10.5.x. There is a package for Mac OS X 10.5.3 and a combo update for systems from Version 10.5. The security update for Mac OS X 10.4.x requires 10.411 and is available for both Intel and for Power PC systems.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit