Bumper bundle of security patches for Mac OS X

Stephen Withers
Wednesday, 19 December 2007 01:23

Your IT - Home IT

Apple's Security Update 2007-009 delivers a wide-ranging set of fixes for Leopard and Tiger.

The update covers the desktop and server versions of Mac OS X 10.4.11 and 10.5.1, and many of the issues allow the execution of arbitrary code.

Several items relate to third-party or open source software provided with Mac OS X.

Adobe's Flash Player plug-in 9.0.115.0 and Shockwave plug-in 10.1.1.016 are included. While the former was released earlier this month, Adobe's web site says the latter appeared in March 2006. The Shockwave plug-in provided with Mac OS X 10.5 describes itself as version 10.1r11 with a 2004 copyright date. It is surprising it took so long for Apple to distribute the 'new' version.

Other examples include new versions of the Python, Perl and Ruby interpreters, Samba (which provides Mac OS X's SMB file and printer sharing capabilities), CUPS (the open source Common Unix Printing System, now 'owned' by Apple), the GNU Tar utility (used to create and unpack certain types of archive files), and tcpdump (a network monitoring tool; the update provides version 3.9.7, not the current 3.9.8)

The problem with Apple distributing non-current versions of open source software is that it makes it easier for attackers to find holes in Mac OS X. They can look for any security-related changes between the versions, and then work out ways of exploiting them.

Most of the fixes relate to Apple's own software, including Address Book, ColorSync, iChat, Mail, Quick Look, Safari, Software Update and Spotlight. They generally involve maliciously crafted files or links causing crashes or arbitrary code execution.