Stephen Withers
Thursday, 06 August 2009 04:48
Business IT -
Technology
Page 2 of 3
An unusually small number of open source components are changed for security reasons in this update. Bzip2 is updated to version 1.0.5 to protect against maliciously crafted compressed files, and version 7.6 of Perl Compatible Regular Expressions to prevent the execution of arbitrary code via malicious XML content.
Some Safari-related issues are actually fixed in the underlying frameworks. One example is a flaw that previously existed in 10.5 that could allow a malicious site to display an incorrect URL in a certificate warning.
Another is a change to the list of "potentially unsafe" content types to warn of files that may lead to the execution of JavaScript when they are opened.
One odd-sounding issue is that a fix in 10.5.8 overcomes a flaw that allowed the use of four-finger multi-touch gestures when the screen saver is running.
Other changes prevent local users from overwriting kernel memory and executing arbitrary code with system privileges, correctly delete credentials on leaving the MobileMe preference pane, and protect against denial of service attacks in launchd, maliciously crafted AppleTalk packets, maliciously-formed names of applications appearing in the Login Window
The update is available via Software Update (the size of the download may vary according to the updates already installed; on our otherwise up to date Leopard installation it was 165M), as an incremental updater for 10.5.7 (274M), or as a combo updater that can be used on any 10.5 installation (a hefty 759M).
Applying the combo update is widely regarded as a good repair for a failed update by other means, so some users take the view that it is best to use that version from the outset.
Find out about the Security Update on
page 3.
LATEST HEADLINES FROM YOUR IT
