Bumper bundle of security patches for Mac OS X

Stephen Withers
Wednesday, 19 December 2007 01:23

Your IT - Home IT

The Software Update update is an interesting one. It has long been known that online software update mechanisms may be open to a 'man in the middle' attack - if a miscreant could find a way to intercept traffic to the update server, it would be possible to deliver malware to the computer being updated. Apparently Mac OS X 10.5 introduced a feature that allowed the execution of external command scripts delivered by the (supposed) update server, allowing the execution of arbitrary commands. This feature has been disabled by Security Update 2007-009.

A swag of other components are also updated. Among the more interesting issues fixed by Security Update 2007-009 are:

"Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission" (10.5 only) Are you running as an admin user? For which folders do you have write access? Potentially very nasty.

"Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution" (10.4 only) Presumably this could be exploited via a malicious disk image file. Also, thumb drives are so cheap you might give them away outside an office building as a way of introducing your malware into the target organisation.

"Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution" (10.4 only)

"Opening an executable mail attachment may lead to arbitrary code execution with no warning" (10.5 only) Another nasty one. While users should be very careful of opening executable attachments or downloads, the fact that the OS would warn in some circumstances but not others adds to the risk involved. How this previously-fixed bug found its way back into Mac OS X 10.5 remains a mystery.

Security Update 2007-009 can be downloaded using Software Update or via Apple Downloads .