« Apple Ultracompact USB adapter exchange program kicks off today
Still not convinced you should be using strong WPA/WPA2 passwords? Read on … »

Mac OS X mega-patch

Print This Post Print This Post


October 10th, 2008

Apple has shipped a titanic patch for Mac OS X that plugs up 40 vulnerabilities.

Security Update 2008-007 for Tiger and Leopard is a whopper:

  • Apache: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364) Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Note: Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.
  • ClamAV: (CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914) Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution.
  • ColorSync CVE-2008-3642) A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2008-3641) A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the ‘lp’ user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges.
  • libxslt (CVE-2008-1767) A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.
  • MySQL Server (CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079) MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PHP (CVE-2007-4850, CVE-2008-0674, CVE-2008-2371) PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PSNormalizer (CVE-2008-3647) A buffer overflow exists in PSNormalizer’s handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution.
  • QuickLook (CVE-2008-4211) A signedness issue exists in QuickLook’s handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.
Share and Enjoy:
  • Digg
  • del.icio.us
  • Reddit

This entry was posted on Friday, October 10th, 2008 at 17:38 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.