Apple Patches Holes in Mac OS X

Apple Computer released its first security patch
of 2005 this week in order to plug some holes in its Mac OS X operating

Security Update 2005-001 for Mac OS X addresses issues with
Apple’s “at” commands, library (libxml2), ColorSync, Safari and Mail
programs as well as specific problems found in PHP and third-party
supplied “SquirrelMail.” The fixes are recommended for all Macintosh
users running server and client versions of Mac OS X 10.3.7 or Mac OS X 10.2.8.

Updates for the “at” commands address what Apple calls “a local
privilege escalation vulnerability.” If not remedied, the problem could allow local users to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files. The
update patches the commands “at,” “atrm,” “batch,” “atq,” and “atrun.”

Another critical fix addresses problems with the libxml2 library,
which contains unsafe code Apple said may be exploited in applications linked against it. The flaw could potentially be exploited into buffer overflows.

Apple’s update also repairs multiple known vulnerabilities in PHP , including remote denial of service and execution of arbitrary code.

Secunia Research has been credited in finding a problem in Mac OS X
browser Safari. The fix is only necessary for users that do not enable
the “Block Pop-Up Windows” feature. Without the patch, users can be
mislead about the content of a Pop-up window if they used an untrusted
link to navigate to a site.

For its Mail client, Apple has adjusted its code so that e-mail
messages sent from a single machine can be identified. Previously, a
GUUID (Globally Unique Universal ID) containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Apple’s patch now hides the info in Mail with the help of a
cryptographic hash.

Separately, a cross-site scripting vulnerability in SquirrelMail that
allowed e-mail messages to contain content that would be rendered by a
user’s Web browser has been fixed.

Apple said the Security Update can be downloaded and installed via
Software Update preferences, or from Apple Downloads.

News Around the Web