Apple Computer Inc. on Thursday released its December security update. The 12.7MB download consists of several updated components including Apache, AppKit, HIToolbox, Kerberos, Postfix, PSNormalizer, Safari and Terminal.
Several Apache modules were updated improving security for both client and servers version of Mac OS X. According to Apple, Apache mod_digest_apple authentication is vulnerable to replay attacks in Mac OS X Server. Corrections for the replay problem were made in versions 1.3.31 and 1.3.32 of Apache and have been included in this update.
For Mac OS X client and server, multiple vulnerabilities in Apache and mod_ssl including local privilege escalation, remote denial of service and in some modified configurations execution of arbitrary code. Apache and mod_ssl have been updated to fix this issue.
Other issues found with Apache and corrected with this security update include Apache configurations did not fully block access to “.DS_Store” files or those starting with “.ht”; File data and resource fork content can be retrieved via HTTP bypassing normal Apache file handlers; and modified Apache 2 configurations could permit a privilege escalation for local users and remote denial of service.
AppKit has been updated for Mac OS X to prevent characters entered into a secure text field from being read by other applications. The updated AppKit also fixes a problem where Integer overflows and poor range checking in tiff handling could allow to execution of arbitrary code or denial of service.
MIT recently released updates to Kerberos ending the risk of exposure to a potential denial of service when Kerberos authentication is used. Apple has applied those updates to the Kerberos components in Mac OS X and Mac OS X Server.
Postfix, the replacement for sendmail Apple used in Mac OS X 10.3, has been updated fixing an issue that would allow a remote user to send mail without properly authenticating if the server was configured with Postfix using CRAM-MD5 authentication.
Two updates have been added for Apple’s Web browser, Safari. Specially crafted HTML could display a misleading URL in the Safari status bar. This update corrects Safari so that it now displays the URL that will be activated when selected. Additional, if a user didn’t turn on Safari’s built-in pop-up blocking technology, they may find, with multiple browser windows active, that they could be mislead about which window activated a pop-up window. In this update Safari now places a window that activates a pop-up in front of all other browser windows.
The update is available via the Software Update control panel. Separate downloads are available for Mac OS X 10.2.8 client and server, and Mac OS X 10.3.6 client and server.