Apple security updates

Apple has released several security updates for Mac OS X Leopard, Server, Tiger Intel and Tiger PowerPC. A variety of vulnerabilities have been addressed, including a potential issue with the AFP Server that could lead to an infinite loop or denial of service on systems running OS X 10.5.6. For all operating systems, the Apple Pixlet Video code has been corrected to prevent a maliciously crafted movie file from executing arbitrary code.

A memory corruption issue had existed regarding the Resource Manager's handling of resource forks, allowing code to close an application or execute arbitrary code. The update improves the validation of resource forks to remedy the problem.

Several CFNetwork vulnerabilities have been addressed, restoring the proper operation of session cookies and cookies with null expiration times. The Certificate Assistant will no longer allow a local user to overwrite files with the privileges of another user who is running Certificate Assistant, although the problem only existed with OS X 10.5 and higher.

The update also fixes several issues with ClamAV 0.94, affecting only the Mac OS X Server systems. CoreText code has been corrected to protect against arbitrary code execution when viewing malicious Unicode content on systems running Mac OS X 10.5 or higher systems, including Server.

The CUPS web interface now properly handles RSS subscriptions to prevent against attacks, while DS Tools will no longer expose passwords to other local users. Vulnerabilities have also been addressed with fetchmail, Folder Manager, FSEvents, Network Time and perl.

An issue in csregprinter previously allowed users to obtain system privileges in the event of a heap buffer overflow, although the error handling has been improved to correct the problem. The company also addressed an uninitialized buffer issue in the Remote Apple Events server that now prevents the disclosure of memory contents to network clients.

The Safari RSS feed handling had allowed the execution of arbitrary JavaScript in the local security zone, but the embedded JavaScript within the feed has since been improved. Apple also patched vulnerabilities that existed within python, servermgrg, SMB, SquirrelMail, X11 and XTerm.

The security updates are available from the support downloads page on Apple's website. File sizes range from 43MB to 213MB depending on the particular operating system.

by MacNN Staff