Apple releases fixes for OS X security issues

In addition to updating Mac OS X Leopard earlier today, Apple also released a security update for PowerPC and Intel users of Mac OS X Tiger. Leopard users that updated to 10.5.2 do not need to install this separate update — all of the fixes in this update were included in 10.5.2.

Fixed for Tiger users in this update is a buffer overflow in Directory Services that could allow a local user to execute arbitrary code with system privileges. Another arbitrary code execution problem was addressed in Safari’s handling of URLs. Mail no longer allows arbitrary applications to be launched when clicking “file:// URLs” in a message.

For OS X 10.5 users who install the security patch via the 10.5.2 update, an interesting issue involving Time Machine has been found. If an application was removed from the system, it could still be launched from a Time Machine backup. With this update, applications cannot be launched directly from Time Machine.

If you use Parental Controls to manage web content, Parental Controls will inadvertently contact www.apple.com when a website is unblocked. According to Apple, this allows a remote user to detect the machines running Parental Controls. This update addresses the issue by removing the outgoing network traffic when a website is unblocked.

A full list of security issues fixed in this update is available from Apple’s Web site.

The patches include fixes for Safari, Mail, Launch Services, the Mac OS Directory Services, Open Directory and Parental Controls. There are also patches for several Unix components that ship with Apple’s software, including a recently patched flaw in the Samba file-and-print software.

“The Samba bug was expected, since all the open-source distributions released fixes a while ago,” said Andrew Storms, nCircle’s director of security operations, via instant message.

In all, the security updates fix 11 bugs, including eight specific to Mac OS X 10.5.

Robert McMillan of IDG News Service contributed to this report.

Updated at 11:50 p.m. PT to include more information on the security fixes and to clarify information about the Time Machine-related fix.

Subscribe to the Apple @ Work Newsletter

Comments