Apple Patches 93 Holes In Mega Update

Apple's own "Patch Tuesday" came in like a lion. In what was easily the biggest update in a while, Apple released a massive set of patches on Tuesday afternoon fixing more than 90 vulnerabilities in almost every component of its operating systems.

To add to the load, Apple updated its Safari browser earlier today for both Mac and Windows, covering a total of 13 vulnerabilities.

Altogether, Tuesday's patches fixed bugs in both the client and server editions of Mac OS X Tiger and Leopard.

The Leopard bundle included fixes for AFP Client, Apache, Application Firewall, ClamAV, CUPS, macs, Help Viewer, Image Raw, Kerberos, mDNSResponder, OpenSSH, pax archive, PHP, Podcast Producer, Preview, Printing, System Configuration, UDF, Wiki Server and X11.

In particular, the Leopard patch bundle fixed several password and authentication problems detected in Kerberos, Podcaster, Preview and Printing. Apple said that Mac OS X Server's Podcast Products included a component that provided passwords to a subtask through arguments which could potentially expose the passwords to other local users.

Similarly, Preview and Printing services contained flaws that could expose the contents of an encrypted PDF without requiring the use of a password.

The Tiger update plugged holes in AFP Client, AFT Server, Apache, AppKit, CFNEtwork, ClamAV, CoreFoundation, CoreServices, CUPS, curl, Emacs, file, Foundation, Help Viewer, Kerberos, libc, notifyd, OpenSSH, PHP, System Configuration and X11.

While Apple doesn't have a designated rating system, numerous vulnerabilities in the latest update allow "arbitrary code execution," alerting users that the errors could be considered a critical threat.

An Image Raw-related error left users vulnerable to a denial of service attack or the execution of arbitrary code on their computers when they opened up a maliciously crafted image.

"A stack based buffer overflow exists in the handling of Adobe Digital Negative image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution," said Apple in its advisory. "This update addresses the issue through improved validation of DNG image files."

Apple said that the Image Raw problem does not affect systems prior to Mac OS X.

In addition, flaws fixed by patches in Apple's Foundation allow a remote attacker to execute malicious code, trigger a denial of service attack or interfere with users' file operations to achieve elevated privileges.

Likewise, vulnerabilities in the built-in Help Viewer application could be exploited by enticing users to open an malicious link or by visiting an infected Web site.

Many of the patches addressed in the OS X bundle repair flaws in the third party applications. Almost 20 of the updates correct problems in the Mac version of open-source ClamAV, an anti-virus program, a flaw that also could leave systems vulnerable to remote attack.

Apple's Security Update 2008-002 is available in three distributions each for Mac OS X client and Mac OS X Server. Users can also run the Mac OS X Software Update mechanism located under the Apple menu on the company's site.

Tweet

   

More Security