Apple releases Mac OS X 10.5.4 update, security fixes

Apple Insider ^ | 06/30/2008 | By Aidan Malley

[Swordmaker]

Apple on Monday evening released Mac OS X 10.5.4, the latest significant revision to Leopard and a key part of its online strategy. Also, Security Update 2008-004 and Safari 3.1.2 for Tiger address security issues for earlier Mac OS X versions.

The update (59MB for 10.5.3 users) is considered an important precursor to Mac support for MobileMe, Apple's imminent sync and hosting service.

In addition to laying the groundwork for the future replacement for .Mac, the update is also key to fixing a number of major bugs identified since the release of Mac OS X 10.5.3, including an Adobe CS3 corruption bug with remote file saves and a chronic shutdown flaw.

Also mended with the fix are reliability with AirPort when on 5GHz 802.11a and 802.11n networks, iCal stability, access to secure websites with Safari, and a number of fixes for Exposé and Spaces.

Support for additional cameras' RAW photo formats has also been expanded, the company says.

Apple recommends the update for all Leopard users to improve the stability of their systems, and rolls in previous security updates released between Mac OS X 10.5.3 and the new update.

Additionally, the company has released Security Update 2008-004 for Mac OS X Tiger client (Intel, PowerPC) and Tiger Server (Intel, PowerPC) that bring security fixes built into Mac OS X 10.5.4 to the earlier operating systems, including protection against vulnerabilities in significant components such as CoreTypes, the Dock, SMB File Server, Ruby and Webkit.

A third update, Safari 3.1.2 for Mac OS X Tiger, fixes a specific flaw in WebKit (addressed for Leopard in 10.5.4) that would allow malicious JavaScript to either crash Safari or else allow running hostile code through the browser.

The full list of fixes in Mac OS X 10.5.4 follows below:

General

• Includes recent Apple security updates.
  
• Resolves an issue with saving and reopening Adobe Creative Suite 3 files on a remote server.
  
• Includes additional RAW image support for several cameras.
  
• Addresses an issue that may result in a partially installed X11 application.
  
• Improves L2TP VPN client reliability.

AirPort

• Addresses AirPort reliability issues with 5GHz networks.
  
• Addresses AirPort issues that may result in slower performance in Logic Studio or MainStage.

iCal

• Improves overall iCal reliability for meeting requests, cancellation notices, delegation, and syncing with iPhone.
  
• Resolves an issue that prevents deleting an iCal event without notifying the creator.
  
• Addresses an issue in which events in all calendars affect availability. A checkbox now enables information-only calendars to be transparent from free/busy lookups.
  
• Resolves a UI issue preventing delegated calendars from showing up as a separate window.
  
• Addresses an issue with copying and pasting attendees from one event to another.
  
• Resolves an issue in which iCal may not delete events after a specified time interval, even when set to do so in iCal preferences.
  
• Addresses an issue in which To Dos cannot be marked private.

Safari

• Addresses a potential performance issue when loading secure web pages.
  
• Resolves issues that may be encountered when accessing secure web pages with client certificates that reside on a smart card.

Spaces and Exposé

• Addresses an issue in which switching from a space with a Finder window keeps the Finder as the active application instead of the application residing in the destination space.
  
• Fixes an issue in which dragging an application from the list of application assignments in Spaces System Preferences does not assign the application to the desired space.
  
• Resolves an Exposé issue that may result in only a subset of windows being shown.

[Swordmaker]

OSX.5.4 update now available... time to click the Black Apple Menu and select Software Update... PING!

Thanks to Freeper Vox for the heads up.

MacPing!

If you want on or off the Mac Ping List, Freepmail me.

[GOP Poet]

thanks!

[Swordmaker]

Make that Vox_Freedom who provided the heads up...

dang iPhone call interrupted my post.

[dighton]

Applied as usual w/o incident.

[Swordmaker]

Summary

This document describes the security content of Security Update 2008-004 and Mac OS X 10.5.4, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

 

Products Affected

Security

Security Update 2008-004 and Mac OS X v10.5.4

• Alias Manager

  CVE-ID: CVE-2008-2308

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

  Impact: Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution

  Description: A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

• CoreTypes

  CVE-ID: CVE-2008-2309

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: Users are not warned before opening certain potentially unsafe content types

  Description: This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature. Credit to Brian Mastenbrook for reporting this issue.

• c++filt

  CVE-ID: CVE-2008-2310

  Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution

  Description: A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems prior to Mac OS X 10.5.

• Dock

  CVE-ID: CVE-2008-2314

  Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: A person with physical access may be able to bypass the screen lock

  Description: When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active. This issue does not affect systems prior to Mac OS X 10.5. Credit to Andrew Cassell of Marine Spill Response Corporation for reporting this issue.

• Launch Services

  CVE-ID: CVE-2008-2311

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

  Description: A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files. This issue does not affect systems running Mac OS X 10.5 or later.

• Net-SNMP

  CVE-ID: CVE-2008-0960

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: A remote attacker may be able to spoof an authenticated SNMPv3 packet

  Description: An issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets. Additional information is available via http://www.kb.cert.org/vuls/id/878044

• Ruby

  CVE-ID: CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: Running a Ruby script that uses untrusted input to access strings or arrays may lead to an unexpected application termination or arbitrary code execution

  Description: Multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays.

• Ruby

  CVE-ID: CVE-2008-1145

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: If WEBRick is running, a remote attacker may be able to access files protected by WEBrick's :NondisclosureName option

  Description: The :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names. Additional information is available via http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ The directory traversal issue described in the advisory does not affect Mac OS X.

• SMB File Server

  CVE-ID: CVE-2008-1105

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution

  Description: A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets. Credit to Alin Rad Pop of Secunia Research for reporting this issue.

• System Configuration

  CVE-ID: CVE-2008-2313

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

  Impact: A local user may be able to execute arbitrary code with the privileges of new users

  Description: A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Andrew Mortensen of the University of Michigan for reporting this issue.

• Tomcat

  CVE-ID: CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, CVE-2007-5461

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

  Impact: Multiple vulnerabilities in Tomcat 4.1.36

  Description: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site at http://tomcat.apache.org/ Tomcat version 6.x is bundled with Mac OS X v10.5 systems.

• VPN

  CVE-ID: CVE-2007-6276

  Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: Remote attackers may be able to cause an unexpected application termination

  Description: A divide by zero issue exists in the virtual private network daemon's handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5.

• WebKit

  CVE-ID: CVE-2008-2307

  Available for: Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3

  Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

  Description: A memory corruption issue exists in WebKit's handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP / Vista, this issue is addressed in Safari v3.1.2 for those systems. Credit to James Urquhart for reporting this issue.

[vox_freedom]

dang iPhone call interrupted my post.

Ha!

Thanks for posting, and the ping. Much better to be interrupted by an iPhone call than one on a Motorola. :-/

[GulfWar1Vet]

Thanks for the ping.

I’m ready for that MobileMe and the 2.0 Update for sure!