Apple posts Security Update 2007-009

Apple on Monday released Security Update 2007-009. The update is available for download through the Software Update system preference and from Apple’s downloads Web site. Separate downloads are available for Mac OS X v10.5.1 and Mac OS X v10.4.11.

Many of the fixes that affect both Tiger and Leopard users involve patching vulnerabilities that could have been exploited to allow either arbitrary code execution or disclosure of sensitive information. For example, the update improves bounds checking to address a memory corruption issue in the handling of Internet Printing Protocol tags in CUPS that a remote attack could have used to execute code arbitrarily. Another fix implements a stricter frame navigation policy in the Safari Web browser to address a WebKit vulnerability where visiting a maliciously-crafted Web page could have triggered a cross-site scripting attack.

Apple says the Security Update also applies patches from the Samba project that tackle multiple Shockwave Player vulnerabilities in Tiger and Leopard.

The update affects the following components of Mac OS X v10.5 “Leopard”:

  • Core Foundation
  • CUPS
  • Flash Player Plug-in
  • Launch Services
  • perl
  • python
  • Quick Look
  • ruby
  • Safari
  • Samba
  • Shockwave Plug-in
  • Spin Tracer

Leopard-specific fixes include a pair of Quick Look issues. According to Apple’s release notes, plug-ins were not previously restricted from making network requests when previewing an HTML file, which could have exposed sensitive information; the security update disables plug-ins. The update also disables HREFtrack while browsing movie files to address an issue reported by Lukhnos D. Liu of Lithoglyph where creating an icon for a movie file or previewing a file using QuickLook may access URLs contained in the movie.

Users who are continuing to use Mac OS X v10.4 “Tiger” will see the following components updated by this release:

  • Address Book
  • CUPS
  • ColorSync
  • Core Foundation
  • Desktop Services
  • Flash Player Plug-in
  • gnutar
  • iChat
  • IO Storage Family
  • Launch Services
  • Mail
  • perl
  • python
  • ruby
  • Samba
  • Safari
  • Shockwave Plug-in
  • SMB
  • Spotlight
  • tcpdump
  • XQuery

Among the Tiger-specific fixes are improved handling of format strings in Address Book, required user interaction to initiate video conferencing in iChat, and additional feed validation to correct a memory corruption issue in Safari’s handling of feed: URLs, among other changes.

Apple recommends that all users install Security Update 2007-009.

Apple has posted more information about what’s changed in this security release at its Web site.

Editor’s Note: Updated at 5:25 p.m. PT to add more information on Security Update 2007-009.

Subscribe to the MacWeek Newsletter

Comments