updated 08:40 pm EDT, Wed May 28, 2008
Apple: critical updates
Apple on Wednesday released dozens of security updates part of its Mac OS X 10.5.3 update for Leopard and Security Update 2008-003(PPC Tiger client, Intel Tiger client, PPC Server, Universal Server) for Mac OS X Tiger, including critical bugs for remote shutdown, arbitrary code execution (multiple including JPG2000 issues), denial of service (via viewing PNG files), private information information disclosure (via SSL, Tiger Mail, Unicode, malicious BMP/GIF files and Image Capture) as well as a critical code execution bug for the continually updated Adobe Flash plugin. Apple also updated its Single Sign-On feature (CVE-ID: CVE-2008-1578) to prevent passwords from being supplied other local users.
The extremely large Leopard update, more than 400MB via the Software Update, has Leopard and Tiger a fix for AFP Server (CVE-ID: CVE-2008-1027), where the software did not check that a file or directory to be served was inside a folder designated for sharing and allowing a connected user or guest to access any files or folders for which they have permission, even if not contained in folders designated for sharing.
The Apache 2.0.55 update, for Tiger Server only, fixed several vulnerabilities, the most serious of which may lead to cross-site scripting, Apple note. (The issues that affected Apache 2.2.x were addressed in Security Update 2008-002 for Mac OS X v10.5.2 and Mac OS X Server v10.5.2.)
The security update (CVE-ID: CVE-2008-1028) addressed a Tiger client/server bug in which opening a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution from within AppKit, Apple rendering engine for its browser and other applications. Similarly for both Leopard and Tiger, the Apple Pixlet Video update (CVE-ID: CVE-2008-1577) fixes a similar bug where a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
Apple also noted that a font type bug was fixed in Leopard only that would allow a maliciously crafted embedded font to execute arbitrary code when printing a PDF document containing that font: "A memory corruption issue exists in the Apple Type Services server's handling of embedded fonts in PDF files," Apple wrote in its documentation. "Printing a PDF document containing a maliciously crafted font may lead to arbitrary code execution. This update addresses the issue by performing additional validation of embedded fonts."
The highly critical CFNetwork (CVE-ID: CVE-2008-1580), for both Tiger and Leopard systems, allowed Safari's SSL client certificate may disclose information contained in the certificate without the user's knowledge. Apple said that web servers that issue a client certificate request receive the first client certificate found in the keychain automatically sent, without user-confirmation. Apple's Help Viewer in Tiger and iCal in Leopard were also updated to prevent a code-execution bugs, Apple noted.
Apple also issued security updates for CoreFoundation, CoreGraphics, and CoreTypes on both Tiger and Leopard systems as well as fixes for CUPS printing services (CVE-ID: CVE-2008-1033) on Mac OS X v10.5, noting that printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. On Tiger system, Apple patched yet another bug that allowed ImageCapture on Tiger to manipulate files with the privileges of another user running the same application.
Other kernel updates (CVE-ID: CVE-2008-0177, CVE-2007-6359) for Leopard that allowed remote attackers to cause to an unexpected system shutdowns: one was in the handling of packets with an IPComp header and the other in the kernel's handling of code signatures in the cs_validate_page function.