Apple releases Mac OS X 10.5.2

Apple today released Mac OS X 10.5.2 and Mac OS X Server 10.5.2 which are recommended for all users running Mac OS X Leopard and includes general operating system fixes that enhance the stability, compatibility and security of your Mac.

Active Directory
• Addresses issues which could hinder or prevent binding Mac OS X 10.5.x clients to Active Directory domains.

AirPort
• Improves connection reliability and stability
• Includes 802.1X improvements.
• Resolves certain kernel panics.

Back to my Mac
• Adds support for more third-party routers, as detailed in this article.

Dashboard
• Improves performance of certain Apple Dashboard widgets (such as Dictionary).
• Addresses an issue in which Dashboard widgets may no longer be accessible after switching to or from an account that has Parental Controls enabled.

Dock
• Updates Stacks with a List view option, a Folder view option, and an updated background for Grid view. (Ladies and gentlemen, Stacks are no longer virtually useless!)

Desktop
• Addresses legibility issues with the menu bar with an option to turn off transparency in Desktop & Screen Saver preferences.
• Adjusts menus to be slightly-less translucent overall.

iCal
• Improves iCal so that it accurately reflects responses to recurring meetings.
• Addresses an issue in which a meeting may remain on the calendar after being cancelled.
• Addresses stability issues related to .Mac syncing of iCal calendars.
• Resolves an intermittent issue in which editing an event with attendees would cause the event to shrink and not register that the event was updated.

iChat
• Addresses an issue with simultaneously-logged in accounts in which iChat sounds generated from one account might be heard in another account.
• Fixes an issue in which iChat idle time is affected by Time Machine backups.
• Improves connectivity when running iChat behind a router that doesn’t preserve ports.
• Enables logged chats from previous versions of iChat to open faster and more reliably.
• Addresses an issue with text chats in which users may be unable to receive messages from the sender.
• Addresses an issue that may prevent rejoining an AIM chat room without reopening iChat.
• Addresses video chat compatibility issues with AIM 6 and third-party routers.
• Fixes an issue with case-sensitivity of AIM handles.

Finder
• Addresses an issue in which Finder could unexpectedly quit when displaying folder contents in Column view.
• Addresses an issue in which Finder could unexpectedly quit when accessing Users and Groups in a Get Info pane.
• Resolves an issue that prevented setting permissions on a folder alias.
• Resolves an issue in which the Eject command could write to a disc in the optical drive.
• Fixes an issue in which the scroll bar might disappear when deleting a file within a folder that includes files that are out of view.
• Fixes an issue in the Sharing & Permissions section of Get Info windows, in which the gear icon appears to be gray/disabled after authentication.
• Addresses an issue in which the Show Icon Preview preference might not be not saved when turning it off.
• Fixes an issue that could occur when trying to print an image from the Finder.

Mail
• Addresses an issue with Message menu's Mark > As Read choice.
• Fixes an issue in which duplicate On My Mac folders may appear in the sidebar after upgrading to Leopard.
• Improves the accuracy of the Data Detectors feature.
• Resolves an issue with scrolling through a Note that is displayed using the split view in the message window.
• Fixes an issue with deleting messages located in the Drafts folder.
• Fixes an issue in which dragging the icon in the Safari URL field into a Mail message creates an attachment instead of a link.
• Addresses an issue found when opening a item in the Notes folder that is not a Note.
• Fixes an issue that may prevent RSS feeds from being delivered in Mail.
• Resolves an issue in which a selected message could "flash" from blue to gray when in Organize by Thread mode.
• Fixes an issue with scrolling between multiple To Dos in an email message.
• Fixes an issue in which the body of email messages with certain MIME structures may not be displayed.
• Improves performance with America Online (AOL) account-based messages in Mail.
• Addresses issues with some ISPs during automatic set-up in Mail.
• Addresses an issue in which Mail might not send mail on some networks to some SMTP servers.
• Mail now automatically disables the (unsupported) third-party plugin GrowlMail version 1.1.2 or earlier to avoid issues.
• Adds an option to view large icons in the Mailbox list.

Networking
• Addresses a hanging issue that may occur when connecting to an AFP network volume.
• Parental Controls
• Improves stability when opening the Parental Controls System Preferences pane.
• Fixes an issue that may prevent changes to the email address for permission requests.
• Addresses an issue with printer administration for a guest account enabled with Parental Controls.
• Addresses an issue with setting printer administration privileges from another Mac on the local network.
• Fixes an issue that could prevent certain applications from being allowed.
• Addresses accuracy issues with the web content filter.

Preview
• Improves stability when scrolling through a PDF document.
• Fixes an issue that prevents tabbing within a PDF document after clicking on the PDF.
• Improves the Mail Document feature so that email attachments are more reliably created from Print Preview.

Printing
• Addresses an issue in which remote printers may be deleted when the computer is put to sleep.
• Improves printing performance when using some Microsoft Office applications.
• Resolves an issue with some printing options, such as landscape orientation, number of copies, two-sided printing, and so forth that may not have functioned with some printers shared by Microsoft Windows.
• Adds support for certain printers connected to the USB port of an AirPort Extreme or AirPort Express base station.
• Resolves a stalling issue that could occur when installing certain Canon printing software from a disc.

RAW Image
• Adds RAW image support for several cameras, as detailed in this article.

Login and Setup Assistant
• Addresses an issue in which Setup Assistant could unexpectedly appear each time Mac OS X 10.5 starts up.
• Improves stability and performance during log in.

System
• Improves the accuracy of the grammar checker.
• The computer will now shut down if an automatic disk repair does not succeed during startup.

Time Machine
• Adds a menu bar option for accessing Time Machine features (the menu extra can be enabled in Time Machine preferences).
• Improves backup reliability when computer name contains slash or non-ASCII characters.
• Fixes an issue in which the backup disk displayed in the Finder may be out of sync with the disk chosen for Time Machine.
• Addresses issues in which some external drives are not recognized by Time Machine.
• The status menu now appears by default.

Other
• Improves general stability when running third-party applications.
• Addresses an issue in which the incorrect search results may be displayed for certain Automator Find/Filter actions.
• Addresses an issue with the Latvian and Russian keyboard layouts.
• Addresses an issue in which the backlight could turn off before Energy Saver's backlight setting.

Once Mac OS X 10.5.2 Update is applied, Software Update will expect users to download and install a separate graphics driver update, Leopard Graphics Update.

Mac OS X 10.5.2 and Mac OS X Server 10.5.2 are available via Software Update and also as standalone installers.

This update also include the following security updates... Other versions of OSX may also download and install these security fixes if needed. Software Update will select those that are needed for your version of OSX.

This document describes the security content of Mac OS X 10.5.2 and Security Update 2008-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."

Mac OS X v10.5.2 / Security Update 2008-001

Directory Services
CVE-ID: CVE-2007-0355
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may be able to execute arbitrary code with system privileges
Description: A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.

Foundation
CVE-ID: CVE-2008-0035
Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.5.

Launch Services
CVE-ID: CVE-2008-0038
Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: An application removed from the system may still be launched via the Time Machine backup
Description: Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup. This update addresses the issue by not allowing applications to be launched directly from a Time Machine backup. This issue does not affect systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery Software Ltd. and Ian Coutier for reporting this issue.

Mail
CVE-ID: CVE-2008-0039
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Accessing a URL in a message may lead to arbitrary code execution
Description: An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This update addresses the issue by displaying the location of the file in Finder rather than launching it. This issue does not affect systems running Mac OS X v10.5 or later.

NFS
CVE-ID: CVE-2008-0040
Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: If the system is being used as an NFS client or server, a remote attacker may cause an unexpected system shutdown or arbitrary code execution
Description: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.

Open Directory
Available for: Mac OS X v10.4.11, Mac OS X v10.4.11 Server
Impact: NTLM authentication requests may always fail
Description: This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This update addresses the issue by correcting the race condition that could terminate winbindd. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory.

Parental Controls
CVE-ID: CVE-2008-0041
Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: Requesting to unblock a website leads to information disclosure
Description: When set to manage web content, Parental Controls will inadvertently contact www.apple.com when a website is unblocked. This allows a remote user to detect the machines running Parental Controls. This update addresses the issue by removing the outgoing network traffic when a website is unblocked. This issue does not affect systems prior to Mac OS X v10.5. Credit to Jesse Pearson for reporting this issue.

Samba
CVE-ID: CVE-2007-6015
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow "domain logons", an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected. This update addresses the issue by applying the Samba patch. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html Credit to Alin Rad Pop of Secunia Research for reporting this issue.

Terminal
CVE-ID: CVE-2008-0042
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved validation of URLs. Credit to Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.

X11
CVE-ID: CVE-2007-4568
Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: Multiple Vulnerabilities exist in X11 X Font Server (XFS) 1.0.4
Description: Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

X11
CVE-ID: CVE-2008-0037
Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1
Impact: Changing the settings in the Security Preferences Panel has no effect
Description: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.