Security Update 2005-008

Apple today released , its backup application for Mac OS X. Users who don't have a valid .Mac account are limited to 100MB of backup, according to Apple's documentation. The security updates and Backup 3.0 are also available via the Mac OS X Software Update panel.

Apple said the update fixes a vulnerability in which a maliciously-crafted GIF image may result in arbitrary code execution and a few bugs in Mail.app which could expose the contents of encrypted messages when using auto-reply and could disclose sensitive information when using Kerberos Version 5 for SMTP authentication.

The update also fixes problems with insecure file handling that may result in local privilege escalation; a bug QuickDraw Manager that could allow a maliciously-crafted PICT image to result in arbitrary code execution; problems where untrusted applets may gain elevated privileges; a bug in Ruby interpreted scripting language (Tiger only) that could result in arbitrary code execution; cross-site scripting bugs in Safari (when using web archives);

The update also fixes an exploit that could allow users with physical access to the system to bypass the "Require password to wake this computer from sleep or screen saver" setting as well as an issue that would allow users to grant themselves rights to manipulate arbitrary files or perform other privileged actions without authenticating.

Also included in this update are enhancements to LoginWindow for improved interaction with Parental Controls (Mac OS X v10.3.9), X509Anchors to include the Wells Fargo root certificate (Mac OS X v10.3.9), and Safe Download Validation to include Web Archives (Mac OS X v10.4.2).

by MacNN Staff