Stephen Withers
Monday, 04 August 2008 07:05
Opinion and Analysis
Page 2 of 3
A similar change prevents malicious web sites from sending values to CoreGraphics that result in memory corruption, unexpected application termination or the execution of arbitrary code.
CoreGraphics' PDF file handling has also been improved - better validation removes an avenue for maliciously crafted documents to cause a heap buffer overflow and hence unexpected application termination or the execution of arbitrary code.
A "resource consumption issue" in the Data Detectors Engine that previously allowed maliciously crafted messages to crash Mail has been fixed. Data Detectors automatically recognises information such as addresses and appointments in text. While it was a new addition to Mac OS X 10.5, a similar technology was part of Mac OS 9.
Disk Utility's repair permissions feature no longer sets permissions on the Emacs editor that allow the execution of commands with system privileges. (It sounds to me that anyone who knew about this issue would have had a good chance of unobtrusively gaining full control over practically any Mac they could lay their hands on.)
Remote attackers are no longer able to cause the termination of the OpenLDAP daemon by sending a maliciously crafted LDAP message.
Similarly, improved bounds checking in OpenSSL prevents maliciously crafted packets causing unexpected application termination or the execution of arbitrary code.
Three other components have been updated, so please
read on.
