Apple Issues Big Patch Load For Mac OS X, Safari

OS open source Safari

Altogether, Apple's patch load incorporated multiple fixes for its Safari Web browser, AFT Server, Apple Pixlet Video CarbonCore, CFNetwork, Certificate Assistant, network Time, Printing, Remote Apple Events, perl and python programming languages, servermgrd, SMB file and SMB server, SquirrelMail, X11 and XTerm.

Included in Apple's security update were fixes aimed at repairing flaws in its Safari Web browser. The patch fixed multiple validation issues in the way the browser handles feed: URLs, which, if left unpatched, could allow attackers to execute arbitrary JavaScript. The update addresses the flaw with improved handling of embedded JavaScript, Apple said in its advisory.

Meanwhile, Apple's latest security update patches at least 22 errors in its Mac OS X operating system that resolved issues ranging from video flaws to programming language glitches. One of the OS X glitches repaired with its security bulletin was a memory corruption error in the Apple Pixlet Video codec, which could lead attackers to launch malicious code on affected systems if users opened a maliciously crafted movie file.

Also included in the patch load were fixes for errors in CoreText, Common Unix Printing System and perl and python programming languages -- all of which could lead to remote code execution. It also updated its SquirrelMail to version 1.4.17 to address a cross-site scripting issue, among others.

Sponsored post

The update repaired a slew of vulnerabilities in its open source ClamAV antivirus software distributed with Mac OS X Server systems, the most serious of which could also open the door for an attacker to launch a malicious attack remotely.

Apple repaired buffer overflow vulnerabilities and memory corruption errors in its Server Message Block function, which could lead hackers to execute remote code or completely shut down an affected system if a user connects to a maliciously crafted SMB file system or file server.

While Apple does not rank its patches by their severity, other software companies designate a flaw that enables remote code execution to be a critical vulnerability.

Apple's security update also addressed less severe vulnerabilities. Other patches for the Apple's AFP Server fixed vulnerabilities that could lead to denial of service attacks, while the fix for Remote Apple events addressed an issue that could lead to unexpected application termination or unauthorized information disclosure.

Another patch for Apple's Printing function prevented local users from obtaining system privileges due to a heap buffer overflow vulnerability resulting from a handling error, while a patch for the servermgrd prevented remote attackers from being able to access the Server Manager without authorization.