Apple is out with the Mac OS X 10.5.8 security update release fixing a range of issues.
At the top of the list is a flaw in how OS X handles compressed bzip files. According to Apple’s advisory on the issue, “Decompressing maliciously crafted data may lead to an unexpected application termination.”
Apple is also fixing a web browser issue, by way of the CFNetwork layer in OS X. CFNetwork is Apple’s core services framework that provides network layer abstraction to applications. The flaw could potentially have enabled an attacker to spoof a website URL after a browser is redirected with an HTML 302 redirect.
“This may allow a maliciously
crafted website that is reached via an open redirector on a
user-trusted website to control the displayed website URL in a
certificate warning,” Apple’s advisory states.
To my naked eye this sound like a similar flaw to one Mozilla fixed with Firefox 3.5.2 earlier this week. Mozilla also had a URL spoofing issue though, Mozilla specifically called out SSL, which is something that Apple has not done in its advisory.