Apple (NASDAQ: AAPL) is updating its Mac OS X to version 10.5.6 with a security patch update that fixes at least 21 security vulnerabilities ranging from a kernel fix to an update for Adobe Flash Player.
US-CERT has issued a Technical Cyber Security Alert on the National Cyber Alert System warning about the severity of the Apple issues.
The US-CERT warning said attackers could exploit the vulnerabilities to “execute arbitrary code, gain access to sensitive information, or cause a denial of service.”
Among the fixes is an updated Adobe Flash Player to protect against multiple issues.
The Flash Player update for Apple comes after Adobe already updated Flash Player for Windows users.
Among the issues fixed by Adobe is one that prevents a potential clickjacking attack. Clickjacking is a new type of attack vector whereby a user unintentionally clicks on a button or object that is hidden underneath a legitimate object.
The Flash Player update isn’t the only Adobe related fix in the Mac 10.5.6 update. Apple Type Server (ATS) gets an update to address the way it handles fonts embedded in a PDF file. Adobe originated the PDF file format.
“An infinite loop may occur in the Apple Type Services server’s handling of embedded fonts in PDF files,” Apple stated in its advisory. “Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service.”
The 10.5.6 update fixes the issue with additional validation of embedded fonts to ensure integrity.
Apple Mac 10.5.6 also includes fixes that are literally at the core of the operating system in a system called CoreServices. One fix for CoreServices addresses a vulnerability that could potentially have enabled a malicious Web site to hijack user credentials.
“Safari allows web sites to set cookies for country-specific top-level domains, which may allow a remote attacker to perform a session fixation attack and hijack a user’s credentials,” Apple’s advisory states. “This update addresses the issue by performing additional validation of domain names.”
Apple CoreTypes gets a fix that could further protect Mac users against “carpet bombing” types of attacks. Carpet bombing attacks were fixed by Apple earlier this year. The attack vector is a drive-by download attack where a user visits a site, gets an unintended download, which then automatically executes on a user desktop.
As part of the CoreTypes fix, Apple has expanded the list of potentially unsafe file types for download validation.
According to Apple, the 10.5.6 fix adds the content type for files that have executable permissions and no specific application association. Apple’s advisory adds that, these files are potentially unsafe as they will launch in Terminal and their content will be executed as commands.
The Apple Mac 10.5.6 update is the first system update since the 10.5.5 update in October which fixed 15 flaws.