updated 04:30 pm EDT, Tue June 27, 2006
Mac OS X 10.4.7 released
Apple has released Mac OS X 10.4.7, addressing numerous security issues in the operating system, as well as specific fixes. The update affects Mac OS X 10.4 through 10.4.6, as well as Mac OS X Server 10.4 through 10.4.6. Mac OS X 10.4.7 includes security fixes to AFP, CLamAV, ImageIO, launchd, and OpenLDAP. The update is available on Apple's support downloads Web page, as well as via Mac OS X's built-in software update feature. [updated]
Apple's Mac OS X 10.4.7 update is recommended for all users, and includes general operating system fixes as well as specific fixes which include:
- reventing AFP deadlocks and dropped connections
- Saving Adobe and Quark documents to AFP mounted volumes
- Bluetooth file transfers, pairing and connecting to a Bluetooth mouse, and syncing to mobile phones
- Audio playback in QuickTime, iTunes, Final Cut Pro, and Soundtrack Pro applications
- Ensuring icons are spaced correctly when viewed on desktop
- Determining the space required to burn folders
- iChat audio and video connectivity, creating chat rooms when using AIM
- Importing files into Keynote 3
- PDF workflows when using iCal and iPhoto
- Reliable use of Automator actions within workflows
- Importing and removing fonts in Font Book
- Syncing addresses, bookmarks, calendar events and files to .Mac
- Compatibility with third party applications and devices
- Previous standalone security updates
An issue in AFP server allows search results to include the names of files and folders for which the user performing the search has no access. This could result in information disclosure if the names themselves are sensitive information. This update addresses the issue by ensuring that
search results only include items for which the user is authorized. This issue does not affect systems prior to Mac OS X 10.4.
An issue in ClamAV's automatic virus database updating may result in a stack-based buffer overflow. A malicious or spoofed ClamAV database mirror may be able to cause arbitrary code execution with the privileges of ClamAV. The Mail service, virus scanning, and automatic virus database updates are off by default. This update addresses the issue by incorporating ClamAV 0.88.2. This issue does not affect systems prior to Mac OS X 10.4.
By carefully crafting a corrupt TIFF image, an attacker can trigger a stack-based buffer overflow which may result in an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. This issue does not affect systems prior to Mac OS X 10.4.
A format string vulnerability in the setuid program launchd may allow an authenticated local user to execute arbitrary code with system privileges. The issue is present in launchd's logging facility. This update addresses the issue by performing additional validation when logging messages. This issue does not affect systems prior to Mac OS X 10.4. Apple gives credit to Kevin Finisterre of DigitalMunition for reporting this issue.
By carefully crafting an invalid LDAP request, a remote attacker may be able to trigger an assertion in the OpenLDAP server, resulting in a denial-of-service. This update addresses the issue by discarding the invalid request. This issue does not affect systems prior to Mac OS X 10.4. Apple gives credit to the Mu Security research team for reporting this issue.