Apple releases security update for Leopard, Snow Leopard
By Philip Michaels Macworld
In addition to rolling out an update to Mac OS X 10.6 on Monday, Apple also issued a security update for users of its operating system. Security Update 2010-002 is included with the Mac OS X 10.6.3 update; Leopard users can download the update separately for client and server versions of Mac OS X 10.5.
The release notes for Security Update 2010-002 outline 69 changes across Leopard and Snow Leopard. The update focuses on closing would-be vulnerabilities that could have subjected your Mac to remote attacks, malicious code, or applications quitting unexpectedly.
QuickTime alone accounts for nine of the fixes in Monday’s security update. The updates tackle a heap buffer overflow in the way the multimedia applications handles movies encoded in H.263, H.261, RLE, M-JPEG, FLC, and MPEG. Also addressed are memory corruptions in how QuickTime handles H.264- and Sorenson-encoded movie files.
iChat Server gets four fixes. An implementation issue in jabberd’s handling of SASL negotiation that could have let remote attackers cause a denial of service has been addressed. The update also fixes an issue where chat messages may not be logged or authenticated users could have caused applications to quit unexpectedly or arbitrary code to be executed.
Other changes of note in Security Update 2010-002 include:
a pair of fixes to CoreAudio that tackle memory corruption issues in the handling of QDM2- and QDMC-encoded audio content;
the addition of .ibplugin and .url to the system’s list of content types that OS X will flag as potentially unsafe under certain circumstances;
a change that ensures that copied files are owned by the user performing the copy in OS X 10.6;
fixes that address a memory corruption issue in the handling of bzip2 compressed disk images and a design issue in the handling of Internet-enable disk images;
fixes to buffer overflows that exist in Image RAW’s handling of NEF and PEF images; and
a fix for a logic issue in how Mail handles encryption certificates.
Security changes are included with the OS X 10.6.3 update available from Software Update or Apple’s support download site. That page lists Security Update 2010-002 as a 78.39MB download for Leopard client users and a 361.40MB download for Leopard Server.