Apple Updates to Fix Open Source Security Issues

Though Apple’s Mac OS X operating system itself is not open source, it does include many components that are — which also means that it’s potentially susceptible to the same vulnerabilities that have affect open source projects.

As a result, open source applications in particular are strongly represented on the list of patched items in Apple’s latest security update, 2008-007.

Among the open source applications patched in the update is the Apache Web server. Apple (NASDAQ: AAPL) is updating Mac users to Apache HTTP version 2.29 from the 2.28 version that had potential Cross-Site Request Forgery (CSRF) issues.

Apple also updated the Apache Tomcat Java middleware server. Tomcat 6.0.18 addresses CSRF issues in the prior version of Tomcat that Apple had been providing to Mac OS X Server v10.5.5 users.

Open source antivirus application ClamAV received an update to version 0.94 to protect Mac users against multiple vulnerabilities in the earlier 0.93.3 version. The vulnerabilities could have potentially led to an arbitrary code execution issue on Mac OS X servers.

The open source Common Unix Printing System (CUPS) is being updated by Apple to protect against a remote arbitrary code execution issue. According to Apple’s advisory, a vulnerability in the Hewlett-Packard Graphics Language (HPGL) filter could cause arbitrary memory to be overwritten with controlled data.

“If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution,” Apple said in its advisory. “If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges.”

Apple’s security update 2008-007 also includes updates to the open source MySQL database, bringing it to version 5.0.67 to protect against issues that exist in MySQL 5.0.45, the most recent version for Mac OS X Server v10.5.5.

The open source PHP language also receives a boost to version 4.4.9, addressing issues in PHP 4.4.8. There is also a fix for the open source Postfix mail server that ships with Mac OS X 10.5.5 to correct a configuration file issue.

“For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network,” Apple’s advisory said. “During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol.”

Apple’s use of open source software in Mac OS’s technologies has been an issue that security researchers have pointed to in the past as a potential risk. In 2007, researcher Charlie Miller alleged that the way to find a zero-day bug on a Mac is a simple exercise of finding open source packages that are out of date. Miller himself identified an iPhone exploit that he discussed at the Black Hat Las Vegas 2007 security conference.

The 2008-007 update isn’t all about open source software, as Apple used it to fix some other components, too.

Among them is an update to Apple’s ColorSync color management system to protect against an arbitrary code execution risk. The issue could have been triggered by a user viewing a maliciously crafted image file, the company said.

News Around the Web