Apple Patches Tiger and Leopard

Apple Mac users: It’s time to patch your systems. Yes, again, after a whole lot of patches this year.

Security Update 2007-009 from Apple provides updates for both OS 10.4 Tiger as well as the new OS 10.5 Leopard. In total there are 31 fixes for issues ranging in severity from information disclosure to arbitrary code execution. As an added bonus, if you’re running Apple’s Safari browser for Windows XP or Vista, you also need to update.

Among the issues fixes are three that deal with Apple’s use of CUPS (Common UNIX Printing System) CUPS>. For both Tiger and Leopard users, a memory corruption issue that could enable an attacker to crash a system or execute arbitrary code.

Another issue with CUPS for just Tiger involves the use of SNMP (Simple Network Management Protocol). According to Apple’s advisory on the issue, “The CUPS back-end SNMP program broadcasts SNMP requests to discover network print servers. A stack buffer overflow may result from an integer underflow in the handling of SNMP responses.” As a result, a crash or arbitrary code could be executed.

A third issue with CUPS that affects Tiger is a buffer overflow condition that is within the printer driver itself. The impact of this flaw could be privilege escalation.

Apple has also fixed its iChat instant messaging application in Tiger. According to Apple’s advisory, “a person on the local network may initiate a video connection without the user’s approval.” Apple has resolved the issue by simply adding in a user request in order to start a video conference.

There are also a lot of fixes for dynamic languages in Apple’s update including new versions of Perl, Python and Ruby.

For Leopard, which was just updated a month ago to version number 10.5.1, there is a fix for the Software Update mechanism itself. Apple’s advisory describes a situation whereby by when the Software Update checks Apple’s repository for updates there is a possibility for a man-in-the-middle attack.

“By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the “allow-external-scripts” option, which may cause arbitrary command execution when a system checks for new updates,” Apple’s advisory states.

The Safari web browser for Tiger, Leopard as well as Windows XP and Vista gets patched in this update for an information disclosure issue. The vulnerability is due to the way the browser allows pages to navigate the subframes of other pages which could be used in a cross site scripting (XSS) scenario to get a users information.

The 007-009 security update is Apple’s first that deals with both Tiger and Leopard. Tiger was last updated to version
in mid-November with 40 fixes. Apple has been busy this year patching its QuickTime software as well patching the media software last week to version 7.3.1 for a variety of serious flaws.

News Around the Web