Apple Plugs Apache, App Flaws

For the second time this month, Apple has released security patches to correct vulnerabilities found in several versions of its Mac OS X.

A "moderately critical" vulnerability in two Apache modules, mod_alias and mod_rewrite, could conceivably give a network user escalated privileges or let them launch a denial-of-service attack . Security officials also modified how the mod_cgid communicates with CGI script, saying it was not "handled properly."

Apple also patched an unspecified vulnerability in the SystemConfiguration subsystem that allows network admins to change network settings and system configuration. Unspecified vulnerabilities were also found in the Mac OS X mail application, Safari Web browser, Windows file sharing and in the environment variables area.

Fixes have been issued for Mac OS X versions: 10.3.2 client and server; 10.2.8 client and server; and 10.1.5 client and server and can be found here.

Earlier this month, Apple patched a lower-priority vulnerability in the code that allowed a local user to "crash" SecurityServer by inputting a long password into a keychain. Several applications in Mac OS X cannot operate without SecurityServer, causing a denial of service.