Mac OS X 10.5.6 - this time it's real

Stephen Withers
Tuesday, 16 December 2008 01:28

Opinion and Analysis

As for the security aspects of 10.5.6 and Security Update 2008-008 for Tiger, several of the issues concern improved error checking to avoid problems that could be caused by maliciously crafted files.

Such file types include PDF (Leopard only), CPIO archives, image files generally, Flash content, and ISO images.

There's also a cookie-related issue in Safari that could allow the disclosure of user credentials.

Download validation (Leopard only) has been improved so that files with executable permissions and no specific application association are marked as potentially unsafe.

Changes have been made to various system calls and APIs to avoid privilege escalation, denial of service attacks, and arbitrary code execution. Leopard Server's Podcast Producer has been changed to prevent remote attacks via its administrative functions.

One unusual correction concerns Leopard's Managed Client feature. On systems that lack built-in Ethernet (and the only recent Mac that fits that description is the MacBook Air) certain screen saver settings are not correctly applied, including the lock.

Mac OS X 10.5.6 Update and Security Update 2008-008 are available via Software Update or from Apple's Support Downloads page.

File sizes range from 72M for the PowerPC version of Security Update 2008-008 to 883M for the 10.5.6 Server combo update.

If your 10.5.5 system is otherwise up to date, Software Update may be able to fetch a smaller version of the 10.5.6 updater.