Apple has released Security Update 2008-003 for Mac OS X 10.4.11 to extend the security fixes included in Mac OS X 10.5.3 and Mac OS X Server 10.5.3 to systems running Mac OS X 10.4 Tiger. Most notable among the fixes is one that blocks the iCal vulnerability publicized recently by Core Security Services (see “Unpatched iCal Security Flaws Present Low Risk,” 2008-05-22). The reason for Apple’s foot-dragging on the iCal vulnerabilities is now clear – if Security Update 2008-003 had been the only release necessary, it could likely have happened on the schedule Apple originally promised. But coordinating a full update to Mac OS X 10.5.3
simultaneously is a much taller order, and Apple undoubtedly wanted to avoid releasing Security Update 2008-003 separately from Mac OS X 10.5.3 Update.
A wide variety of other vulnerabilities have been eliminated in this release, including the following. I list these not because anyone is likely to have encountered them, nor to scare everyone into updating (although that’s a good idea). Instead, I’m providing the details to give a sense of just how many security vulnerabilities are found, reported, and patched on a regular basis. As much as there’s no need to become paranoid, security really is a big deal in our increasingly networked world.
- AFP Server now checks to make sure that a file or folder being served is inside a folder designated for sharing; previously a connected user could access files and folders for which permission was available, even if not contained within shared folders.
- The Apache Web server in Mac OS X 10.4.11 is updated to version 2.0.63 to fix several vulnerabilities, including one that could lead to cross-site scripting. (Mac OS X 10.5 and Mac OS X Server 10.5 both ship with Apache 2.2.x.)
- Applications like TextEdit that use AppKit are no longer vulnerable to arbitrary code execution from maliciously crafted files; this fix is necessary only for Mac OS X 10.4.11.
- Apple Type Services and CoreGraphics now prevent crashes or arbitrary code execution stemming from opening a maliciously crafted PDF, or printing one containing a maliciously crafted embedded font.
- Safari’s SSL handling has been updated to prompt the user before responding to client certificate requests from Web servers; previously Safari merely sent the first client certificate in the keychain, which could have led to disclosure of sensitive information.
- Mac OS X now alerts users to more potentially unsafe content types, including files used by Automator, Help, Safari, and Terminal.
- Flash Player Plug-in 18.104.22.168 resolves multiple issues, some of which could lead to arbitrary code execution.
- A fix in the International Components for Unicode prevents the disclosure of sensitive information caused by visiting a maliciously crafted Web site.
- Image Capture now prevents information disclosure via its embedded Web server through improved URL handling, and also prevents a local user from manipulating files with the privileges of another user.
- The Mac OS X kernel is no longer vulnerable to a remote system shutdown triggered by sending a maliciously crafted packet to a system configured to use IPsec or IPv6.
- In Mac OS X 10.4, when sending mail through an SMTP server over IPv6, Mail could disclose sensitive information to message recipients and mail server administrators. Mail’s uninitialized memory buffer could also have been exploited to cause crashes or arbitrary code execution.
- The Mongrel HTTP server for Ruby is updated to version 1.1.4 to block a bug that could allow a remote attacker to read arbitrary files.
Security Update 2008-003 is most easily installed via Software Update because otherwise you must pick the right version to download: for the desktop versions of Mac OS X 10.4, choose either PowerPC (72 MB) or Intel (111 MB), and for Mac OS X Server, choose either PowerPC (88.9 MB) or Universal (118 MB).