| | Apple patches a batch of Mac OS X flaws...
Published: May 4, 2005, 7:29 AM PDT
By Dawn Kawamoto
Staff Writer, CNET News.com
Apple Computer on Tuesday released 20 patches for its OS X operating system designed to fix flaws that could catch users off-guard.
The vulnerabilities apply to Mac OS X v10.3.9 and Mac OS X Server 10.3.9, according to Apple's advisory. The announcement comes roughly a month after Apple issued nearly a dozen patches for its Mac OS.
The advisory also falls just days after Apple's much ballyhooed release of the latest version of its operating system, Mac OS X 10.4, widely known as Tiger. The patches do not apply to that release.
Security company Secunia on Wednesday rated Apple's OS X flaws as "highly critical." Among the flaws of greatest concern is a vulnerability in the OS X AppKit that relates to the handling of TIFF graphics files.
"If people view a malicious TIFF, it could result in running arbitrary code," said Thomas Kristensen, chief technology officer for Secunia. "TIFF is usually viewed as safe form to view things, so this makes it more critical."
Another issue of concern is an AppleScript flaw. If users visit a Web site and accept AppleScript from that site, they could find it executing different code than they had expected, Kristensen added.
A flaw affecting the Apache Web server, meanwhile, could allow a buffer overflow in the htdigest program, which if used improperly in a CGI application could in turn allow a remote system attack.
Secunia downplayed the Apache flaw.
"Apache is an important bug fix, but it would be unusually difficult to exploit and it would need an unusual configuration," said Thomas Kristensen, chief technology officer for Secunia.
Two vulnerabilities were also found in the operating system's Bluetooth wireless capabilities. One could allow files to be shared without properly notifying the user, while another could be used by a malicious attacker to access files outside the default file exchange directory via the Bluetooth file and object exchange services.
Another flaw could allow directory services to be altered to give privileges to someone who is unauthorized to have them, according to the advisory.
Apple's OS X patch announcement also includes fixes for Finder, Foundation, Help Viewer, LDAP, libXpm, lukemftpd, NetInfo, Server Admin, sudo, Terminal and VPN.
The computer maker recently moved to a system in which it issues monthly patch release announcements, a practice employed by other software makers, such as Microsoft.
docs.info.apple.com
news.com.com |
|
