Apple’s ‘Security Update 2007-009’, a Mega Patch for 41 Bugs
Apple has released a large-capacity security update that fixes a minimum of 41 flaws affecting its major operating system namely Mac OS X. The patches shipped on December 17, 2007 are the software maker's 35th and 36th updates for 2007. In 2006, Apple had released only 22 batches of patches to repair bugs in its various products.
The new updates have been developed for the Mac OS X 10.4 and 10.5 Operating Systems (OS) referred to as Tiger and Leopard respectively.
Apple, through its 'Security Update 2007-009', fixes several serious vulnerabilities. Theoretically, attackers could exploit a majority of these vulnerabilities to execute unauthorized programs on a Mac-loaded computer. Few of the flaws could affect in some other ways to allow a hacker to reach the user's sensitive information or download applications or files onto the affected PC without authorization.
One e.g. is a format string flaw that is Tiger-specific and which exists in URL handler of Address Book. An attacker, who succeeds in getting a user to access a website that hosts malware, could cause an application to unexpectedly terminate or cause execution of an arbitrary code. Apple's new security update deals with this issue by handling format strings better.
Another issue specific to Tiger is the potential of memory corruption to handle images with ColorSync profile embedded in it. This could be exploited if the attacker is able to entice the user to view a malicious image. Again, the new security update resolves the problem by validating the images.
The update is also useful for Leopard as it corrects a security issue in which if Simple Network Management Protocol (SNMP) is active, an attacker could cause unexpected termination of an application or execution of an arbitrary code in the presence of a buffer overflow. Here too, the update, by validating SNMP responses, is able to resolve the problem.
The Apple update also mends serious bugs in Desktop Services, Core Foundation, Launch Services, Quick Look, IChat, Ruby, Pearl, Mail, Python, Safari RSS and Safari on Mac. The mega-patch addresses security holes in Spotlight, Shockwave Plug-in and Software Update as well.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 01-01-2008