AAPL Stock: 117.81 ( -0.22 )

Printed from

Apple releases Tiger, Leopard security updates

updated 06:15 pm EST, Thu February 12, 2009

Apple security updates

Apple has released several security updates for Mac OS X Leopard, Server, Tiger Intel and Tiger PowerPC. A variety of vulnerabilities have been addressed, including a potential issue with the AFP Server that could lead to an infinite loop or denial of service on systems running OS X 10.5.6. For all operating systems, the Apple Pixlet Video code has been corrected to prevent a maliciously crafted movie file from executing arbitrary code.

A memory corruption issue had existed regarding the Resource Manager's handling of resource forks, allowing code to close an application or execute arbitrary code. The update improves the validation of resource forks to remedy the problem.

Several CFNetwork vulnerabilities have been addressed, restoring the proper operation of session cookies and cookies with null expiration times. The Certificate Assistant will no longer allow a local user to overwrite files with the privileges of another user who is running Certificate Assistant, although the problem only existed with OS X 10.5 and higher.

The update also fixes several issues with ClamAV 0.94, affecting only the Mac OS X Server systems. CoreText code has been corrected to protect against arbitrary code execution when viewing malicious Unicode content on systems running Mac OS X 10.5 or higher systems, including Server.

The CUPS web interface now properly handles RSS subscriptions to prevent against attacks, while DS Tools will no longer expose passwords to other local users. Vulnerabilities have also been addressed with fetchmail, Folder Manager, FSEvents, Network Time and perl.

An issue in csregprinter previously allowed users to obtain system privileges in the event of a heap buffer overflow, although the error handling has been improved to correct the problem. The company also addressed an uninitialized buffer issue in the Remote Apple Events server that now prevents the disclosure of memory contents to network clients.

The Safari RSS feed handling had allowed the execution of arbitrary JavaScript in the local security zone, but the embedded JavaScript within the feed has since been improved. Apple also patched vulnerabilities that existed within python, servermgrg, SMB, SquirrelMail, X11 and XTerm.

The security updates are available from the support downloads page on Apple's website. File sizes range from 43MB to 213MB depending on the particular operating system.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented