SANS ISC: Apple Update 10.5.3 and Apple Security Update 2008-003

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Apple released a huge update today in 10.5.3, however, I'm only going to highlight the Security Portion of the update, 2008-003.  Some of these are purely Apple updates, some are simply updates to the Open Source packages that Apple provides in it's Operating System.

Updates to the following modules were made:

AFP Server -- Files that are not designated for sharing may be accessed remotely.

Apache -- Multiple vulnerabilities in Apache 2.0.55, including cross-site scripting.  Apache is updated to version 2.0.63 to address several vulnerabilities.

AppKit -- Maliciously crafted file, unexpected application termination, arbitrary code execution.

Apple Pixlet Video -- Vulnerability to unexpected application termination, arbitrary code execution.

ATS -- Vulnerability to arbitrary code execution

CFNetwork -- Vulnerability leading to disclosure of sensitive information

CoreFoundation -- Vulnerability leading to unexpected application termination or arbitrary code execution.

CoreGraphics -- Vulnerability that may lead to an unexpected application termination or arbitrary code execution.

CoreTypes -- Lack of prompting against opening "certain potentially unsafe content types" in Automator, Help, Safari, and Terminal.

CUPS -- Information disclosure.

Flash Player Plug-in -- Arbitrary code execution, Updating to version 9.0.124.0.

Help Viewer -- Vulnerability to application termination or arbitrary code execution.

iCal -- Vulnerability to unexpected application termination or arbitrary code execution.

International Components for Unicode -- Disclosure of sensitive information.

Image Capture -- Path traversal vulnerability.

ImageIO -- Out-of-bounds memory read leading to information disclosure, Multiple vulnerabilities in libpng version 1.2.18, and Vulnerability to unexpected application termination or arbitrary code execution.

Kernel -- Remote vulnerability to unexpected system shutdown due to undetected failure condition and Local user vulnerability to unexpected system shutdown due to mishandling of code signatures.

LoginWindow -- Race condition preventing MCX preferences being applied

Mail -- IPv6 vulnerability leading to unexpected application termination, information disclosure, or arbitrary code execution.

ruby -- Remote vulnerability,  updated to version 1.1.4

Single Sign-On -- Password disclosure in sso_util

Wiki Server -- Remote vulnerability to information disclosure

Happy patching all!  I've upgraded three systems here, and I've had no problems that I can tell so far.

--

Joel Esler

http://www.joelesler.net