 |
From “time to update” files:
Apple is out with the Mac OS X 10.5.8 security update release, fixing a range of issues.
At the top of the list is a flaw in how OS X handles compressed bzip files. According to Apple’s advisory on the issue, “Decompressing maliciously crafted data may lead to an unexpected application termination.”
Apple is also fixing a Web browser issue, by way of the CFNetwork layer in OS X. CFNetwork is Apple’s core services framework that provides network layer abstraction to applications. The flaw could potentially have enabled an attacker to spoof a Web site URL after a browser is redirected with an HTML 302 redirect.
“This may allow a maliciously crafted Web site that is reached via an open redirector on a user-trusted website to control the displayed Web site URL in a certificate warning,” Apple’s advisory states.
This sound like a similar flaw to one Mozilla fixed with Firefox 3.5.2 earlier this week. Mozilla also had a URL spoofing issue though. Mozilla specifically called out SSL, which is something that Apple has not done in its advisory.
Next page: Image and networking vulnerabilities
