Security updates for Mac OS X, iPhone

Stephen Withers
Wednesday, 01 August 2007 08:09

Your IT - Mobility

Apple has continued its approximately monthly cycle of security updates with a set of patches for Mac OS X, along with the first update of the iPhone software.

Depending on the version of Mac OS X (10.3.9 or 10.4.10, and client or server), the update patches a variety of components including bzip2, CFNetwork, Core Audio, cscope, gnuzip, iChat, Kerberos, mDNSResponder, PDFKit, PHP, Quartz Composer, samba, SquirrelMail, Tomcat, WebKit, and WebCore.

Many of the vulnerabilities addressed allow the execution of arbitrary code (eg, when visiting a web site, opening a file with a maliciously crafted name, opening a maliciously crafted PDF file, or simply by receiving malicious network packets), so Apple recommends the update for all users.

Many of the changes are in open source projects used by Mac OS X. One example is the update to Samba, which provides the Mac's Windows Sharing capability.

Back in May, Symantec's security response team criticised Apple for not including an updated version of Samba in Security Update 2007-005: "The DeepSight Threat Analyst Team has suggested that all Mac OS X users using Windows Sharing disable the functionality until an associated Security Update is released or the 3.0.25 source code can be used to install the update version."

The issue was relatively serious. As Apple puts it, "By sending maliciously crafted MS-RPC requests [to the Samba daemon], a remote attacker can trigger the overflow which may lead to arbitrary code execution."

The updates may be downloaded via Software Update or from Apple's web site.