Time for Snow Leopard users to click on the Black Apple Menu and select "Software Update..."

Snow Leopard update released ... OS X.6.2. Time to hit the Black Apple Menu and select "Software Update..." PING!

Mac Snow Leopard Update Ping!

If you want on or off the Mac Ping List, Freepmail me.

About the Mac OS X v10.6.2 Update

Last Modified: November 09, 2009
Article: HT3874

Summary

Mac OS X v10.6.2 Update

This update is recommended for Mac OS X v10.6 through v10.6.1 Snow Leopard users and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac.

For detailed information about the security content of this update, please visit this website.

Products Affected

Mail, Mac OS X 10.6, MobileMe

Updating your system

You should back up your system before installation; you can use Time Machine.

Do not interrupt the installation process once you have started to update your system. You may experience unexpected results if you have third-party system software modiﬁcations installed, or if you've modiﬁed the operating system through other means.

Choose Software Update from the Apple () menu to check for the latest Apple software via the Internet, including this update.

If your computer is not up-to-date, other software updates available for your computer may appear, which you should install. When Software Updates states "Your software is up to date," you can be sure that all available updates have been installed.

Note that an update size may vary from computer-to-computer when installed using Software Update. Also, some updates must be installed prior to others, so you should run Software Update more than once to make sure you have all available updates.

You can manually download the update installer. This is a useful option when you need to update multiple computers but only want to download the update once. These versions of the standalone installers are available from Apple Support Downloads.

What's included?

General operating system fixes provided for:

an issue that caused data to be deleted when using a guest account
an issue that might cause your system to logout unexpectedly
Spotlight search results not showing Exchange contacts
the reliability of menu extras
an issue in Dictionary when using Hebrew as the primary language
shutter-click sound effect when taking a screenshot
an issue with the four-finger swipe gesture
an issue adding images to contacts in Address Book
an issue in Front Row that could cause sluggish or slow frame rates while watching videos
creation of mobile accounts for Active Directory users
reliability and duration of VPN connections
general reliability improvements for iWork, iLife, Aperture, Final Cut Studio, MobileMe, and iDisk
overall improvements to VoiceOver performance
this update addresses video playback and performance issues for iMac (21.5-inch, Late 2009) and iMac (27-inch, Late 2009) computers that may occur in some situations while AirPort is turned on

Fonts fixes provided for:

an issue with font spacing
an issue in which some Fonts are missing
font duplication issues
an issue with some PostScript Type 1 fonts not working properly

Graphics fixes provided for:

an issue when connecting monitors to DVI and Mini DisplayPort adapters
an issue in which the brightness setting may not be remembered on restart
addresses functionality with specific display models
general reliability and performance improvements when using some applications

Mail fixes provided for:

a situation in which Mail's unread count may not update properly as messages are read on another computer
an issue in which deleted RSS feeds may return
an issue in which Mail cannot preview or Quick Look attachments when composing a new message
an issue that can cause Address Book and/or Mail to stop responding when opened
an issue in which email messages received from an Exchange Server are not formatted correctly
an issue in which Mail reports "Account exceeded bandwidth limits" for some Gmail accounts

MobileMe fixes provided for:

performance when accessing files from iDisk via the Finder and syncing iDisk files
an issue in which syncing iDisk files does not proceed beyond "checking items"
reliability and performance when syncing contacts, calendars, and bookmarks with MobileMe (syncing with iTunes and iSync are also improved)
an issue that prevents some users from logging into MobileMe via the MobileMe System Preference pane

Network file systems fixes provided for:

compatibility with third-party AFP servers
file synchronization for portable home directories

Printing and faxing fixes provided for:

automatic printer updates improvements
Print dialog allowing you to enter and send to more than one fax recipient

Safari fixes provided for:

a graphics distortion issue in Safari Top Sites
Safari plug-in reliability

Macbbook Pro was giving me issues the other day. Rebooted it and the screen never came back on. It’s 2.5 years old, never an issue before.

Going to bring it in to see if they can fix it. Otherwise have to replace it.

If it has to be replaced, anything I should make sure the new Mac has? Should I replace it with 17 vs 15?

Just your thoughts, thanks.

About Security Update 2009-006 / Mac OS X v10.6.2

Last Modified: November 09, 2009
Article: HT3937

Summary

This document describes the security content of Security Update 2009-006 / Mac OS X v10.6.2, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Products Affected

Product Security, Mac OS X Server 10.5, Mac OS X 10.5, Mac OS X 10.6, Mac OS X Server 10.6

Security Update 2009-006 / Mac OS X v10.6.2

AFP Client
CVE-ID: CVE-2009-2819
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Accessing a malicious AFP server may lead to an unexpected system termination or arbitrary code execution with system privileges
Description: Multiple memory corruption issues exist in AFP Client. Connecting to a malicious AFP Server may cause an unexpected system termination or arbitrary code execution with system privileges. This update addresses the issues through improved bounds checking. These issues do not affect Mac OS X v10.6 systems. Credit: Apple.

Adaptive Firewall
CVE-ID: CVE-2009-2818
Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 and v10.6.1
Impact: A brute force or dictionary attack to guess an SSH login password may not be detected by Adaptive Firewall
Description: Adaptive Firewall responds to suspicious activity, such as an unusual volume of access attempts, by creating a temporary rule to restrict access. In certain circumstances, Adaptive Firewall may not detect SSH login attempts using invalid user names. This update addresses the issue through improved detection of invalid SSH login attempts. This issue only affects Mac OS X Server systems. Credit: Apple.

Apache
CVE-ID: CVE-2009-0023, CVE-2009-1191, CVE-2009-1195, CVE-2009-1890, CVE-2009-1891, CVE-2009-1955, CVE-2009-1956
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Multiple vulnerabilities in Apache 2.2.11
Description: Apache is updated to version 2.2.13 to address several vulnerabilities, the most serious of which may lead to privilege escalation. Further information is available via the Apache web site at http://httpd.apache.org/

Apache
CVE-ID: CVE-2009-2823
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: A remote attacker can conduct cross-site scripting attacks against Apache web server
Description: The Apache web server allows the TRACE HTTP method. A remote attacker may use this facility to conduct cross-site scripting attacks through certain web client software. This issue is addressed by updating the configuration to disable support for the TRACE method.

Apache Portable Runtime
CVE-ID: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956, CVE-2009-2412
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Applications using Apache Portable Runtime (apr) may be exploited for code execution
Description: Multiple integer overflows in Apache Portable Runtime (apr) may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by updating Apache Portable Runtime to version 1.3.8 on Mac OS X v10.6 systems, and by applying the Apache Portable Runtime patches on Mac OS X v10.5.8 systems. Systems running Mac OS X v10.6 are affected only by CVE-2009-2412. Further information is available via the Apache Portable Runtime web site at http://apr.apache.org/

ATS
CVE-ID: CVE-2009-2824
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
Description: Multiple buffer overflows exist in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This update addresses the issues through improved bounds checking. These issues do not affect Mac OS X v10.6 systems. Credit: Apple.

Certificate Assistant
CVE-ID: CVE-2009-2825
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: A user may be misled into accepting a certificate for a different domain
Description: An implementation issue exists in the handling of SSL certificates which have NUL characters in the Common Name field. A user could be misled into accepting an attacker-crafted certificate that visually appears to match the domain visited by the user. This issue is mitigated as Mac OS X does not consider such a certificate to be valid for any domain. This update addresses the issue through improved handling of SSL certificates.

CoreGraphics
CVE-ID: CVE-2009-2826
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple integer overflows in CoreGraphics' handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking. These issues do not affect Mac OS X v10.6 systems. Credit: Apple.

CoreMedia
CVE-ID: CVE-2009-2202
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to Tom Ferris of the Adobe Secure Software Engineering Team for reporting this issue.

CoreMedia
CVE-ID: CVE-2009-2799
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.

CUPS
CVE-ID: CVE-2009-2820
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Acessing a maliciously crafted website or URL may lead to a cross-site scripting or HTTP response splitting attack
Description: An issue in CUPS may lead to cross-site scripting and HTTP response splitting. Accessing a maliciously crafted web page or URL may allow an attacker to access content available to the current local user via the CUPS web interface. This could include print system configuration and the titles of jobs that have been printed. This issue is addressed through improved handling of HTTP headers and HTML templates. Credit: Apple.

Dictionary
CVE-ID: CVE-2009-2831
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A user on the local network may be able to cause arbitrary code execution
Description: A design issue in Dictionary allows maliciously crafted Javascript to write arbitrary data to arbitary locations on the user's filesystem. This may allow another user on the local network to execute arbitrary code on the user's system. This update addresses the issue by removing the vulnerable code. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

DirectoryService
CVE-ID: CVE-2009-2828
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in DirectoryService. This may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update only affects systems configured as DirectoryService servers. This update addresses the issue through improved memory handling. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

Disk Images
CVE-ID: CVE-2009-2827
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of disk images containing FAT filesystems. Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

Dovecot
CVE-ID: CVE-2009-3235
Available for: Mac OS X Server v10.6 and v10.6.1
Impact: A local user may cause an unexpected application termination or arbitrary code execution with system privilege
Description: Multiple buffer overflows exist in dovecot-sieve. By implementing a maliciously crafted dovecot-sieve script, a local user may cause an unexpected application termination or arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of dovecot-sieve scripts. This issue affects Mac OS X Server systems only. This issue does not affect systems prior to Mac OS X v10.6.

Event Monitor
CVE-ID: CVE-2009-2829
Available for: Mac OS X Server v10.5.8
Impact: A remote attacker may cause log injection
Description: A log injection issue exists in Event Monitor. By connecting to the SSH server with maliciously crafted authentication information, a remote attacker may cause log injection. This may lead to a denial of service as log data is processed by other services. This update addresses the issue through improved escaping of XML output. This issue affects Mac OS X Server systems only. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

fetchmail
CVE-ID: CVE-2009-2666
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: fetchmail is updated to 6.3.11
Description: fetchmail has been updated to 6.3.11 to address a man-in-the-middle issue. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/

file
CVE-ID: CVE-2009-2830
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Running the file command on a maliciously crafted Common Document Format (CDF) file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple buffer overflows vulnerabilities exist in the file command line tool. Running the file command on a maliciously crafted Common Document Format (CDF) file may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by updating file to version 5.03. These issues do not affect systems prior to Mac OS X v10.6.

FTP Server
CVE-ID: CVE-2009-2832
Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 and v10.6.1
Impact: An attacker with access to FTP and the ability to create directories on a system may be able to cause unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in FTP Server's CWD command line tool. Issuing the CWD command on a deeply nested directory hierarchy may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue affects Mac OS X Server systems only. Credit: Apple.

Help Viewer
CVE-ID: CVE-2009-2808
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Using Help Viewer on an untrusted network may result in arbitrary code execution
Description: Help Viewer does not use HTTPS for viewing remote Apple Help content. A user on the local network may send spoofed HTTP responses containing malicious help:runscript links. This update addresses the issue by using HTTPS when requesting remote Apple Help content. Credit to Brian Mastenbrook for reporting this issue.

ImageIO
CVE-ID: CVE-2009-2285
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

International Components for Unicode
CVE-ID: CVE-2009-2833
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Applications that use the UCCompareTextDefault API may be vulnerable to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the UCCompareTextDefault API, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect Mac OS X v10.6 systems. Credit to Nikita Zhuk and Petteri Kamppuri of MK&C for reporting this issue.

IOKit
CVE-ID: CVE-2009-2834
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: A non-privileged user may be able to modify the keyboard firmware
Description: A non-privileged user may alter the firmware in an attached USB or Bluetooth Apple keyboard. This update addresses the issue by requiring system privileges to send firmware to USB or Bluetooth Apple keyboards. Credit to K. Chen of Georgia Institute of Technology for reporting this issue.

IPSec
CVE-ID: CVE-2009-1574, CVE-2009-1632
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Multiple vulnerabilities in the racoon daemon may lead to a denial of service
Description: Multiple vulnerabilities in the racoon daemon's ipsec-tools before 0.7.2 may lead to a denial of service. This update addresses the issues by applying patches from the IPsec-Tools project. Further information is available via the IPsec-Tools web site at http://ipsec-tools.sourceforge.net/

Kernel
CVE-ID: CVE-2009-2835
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: A local user may cause information disclosure, an unexpected system shutdown, or arbitrary code execution
Description: Multiple input validation issues exist in Kernel's handling of task state segments. These may allow a local user to cause information disclosure, an unexpected system shutdown, or arbitrary code execution. This update addresses the issues through improved input validation. Credit to Regis Duchesne of VMware, Inc. for reporting this issue.

Launch Services
CVE-ID: CVE-2009-2810
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Attempting to open unsafe downloaded content may not lead to a warning
Description: When Launch Services is called to open a quarantined folder, it will recursively clear quarantine information from all files contained within the folder. The quarantine information that is cleared is used trigger a user warning prior to opening the item. This would allow the user to launch a potentially unsafe item, such as an application, without being presented with the appropriate warning dialog. This update addresses the issue by not clearing this quarantine information from the folder's content. This issue does not affect systems prior to Mac OS X v10.6. Credit: Apple.

libsecurity
CVE-ID: CVE-2009-2409
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Support for X.509 certificates with MD2 hashes may expose users to spoofing and information disclosure as attacks improve
Description: There are known cryptographic weaknesses in the MD2 hash algorithm. Further research could allow the creation of X.509 certificates with attacker controlled values that are trusted by the system. This could expose X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. While it is not yet considered computationally feasible to mount an attack using these weaknesses, this update disables support for an X.509 certificate with an MD2 hash for any use other than as trusted root certificate. This is a proactive change to protect users in advance of improved attacks against the MD2 hash algorithm. Credit to Dan Kaminsky of IOACTIVE and Microsoft Vulnerability Research (MSVR) for reporting this issue.

libxml
CVE-ID: CVE-2009-2414, CVE-2009-2416
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Parsing maliciously crafted XML content may lead to an unexpected application termination
Description: Multiple use-after-free issues exist in libxml2, the most serious may lead to an unxexpected application termination. This update addresses the issues through improved memory handling. Credit to Rauli Kaksonen and Jukka Taimisto from the CROSS project at Codenomicon Ltd. for reporting these issues.

Login Window
CVE-ID: CVE-2009-2836
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: A user may log in to any account without supplying a password
Description: A race condition exists in Login Window. If an account on the system has no password, such as the Guest account, a user may log in to any account without supplying a password. This update addresses the issue through improved access checks. This issue does not affect systems prior to Mac OS X v.10.6.

OpenLDAP
CVE-ID: CVE-2009-2408
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: A man-in-the-middle attacker may be able to impersonate a trusted OpenLDAP server or user even when SSL is being used
Description: An implementation issue exists in OpenLDAP's handling of SSL certificates which have NUL characters in the Common Name field. Using a maliciously crafted SSL certificate, an attacker may be able to perform a man-in-the-middle attack on OpenLDAP transactions which use SSL. This update addresses the issue through improved handling of SSL certificates.

OpenLDAP
CVE-ID: CVE-2007-5707, CVE-2007-6698, CVE-2008-0658
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in OpenLDAP
Description: Multiple vulnerabilities exist in OpenLDAP, the most serious of which may lead a denial of service or arbitrary code execution. This update addresses the issues by applying the OpenLDAP patches for the referenced CVE IDs. Further information is available via the OpenLDAP web site at http://www.openldap.org/. These issues do not affect Mac OS X v10.6 systems.

OpenSSH
CVE-ID: CVE-2008-5161
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Data in an OpenSSH session may be disclosed
Description: An error handling issue exists in OpenSSH, which may lead to the disclosure of certain data in an SSH session. This update addresses the issue by updating OpenSSH to version 5.2p1. Further information is available via the OpenSSH web site at http://www.openssh.com/txt/release-5.2 This issue does not affect Mac OS X v10.6 systems.

PHP
CVE-ID: CVE-2009-3291, CVE-2009-3292, CVE-2009-3293
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in PHP 5.2.10
Description: PHP is updated to version 5.2.11 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues do not affect Mac OS X v10.6 systems.

QuickDraw Manager
CVE-ID: CVE-2009-2837
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickDraw's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to Nicolas Joly of VUPEN Vulnerability Research Team for reporting this issue.

QuickLook
CVE-ID: CVE-2009-2838
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow in QuickLook's handling of Microsoft Office files may lead to a buffer overflow. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

QuickTime
CVE-ID: CVE-2009-2202
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to Tom Ferris of the Adobe Secure Software Engineering Team for reporting this issue.

QuickTime
CVE-ID: CVE-2009-2799
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-2203
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of MPEG-4 video files. Opening a maliciously crafted MPEG-4 video file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to Alex Selivanov for reporting this issue.

QuickTime
CVE-ID: CVE-2009-2798
Available for: Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of FlashPix files. Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue is already addressed in QuickTime 7.6.4 for both Mac OS X v10.5.8 and Windows. Credit to Damian Put working with TippingPoint and the Zero Day Initiative for reporting this issue.

FreeRADIUS
CVE-ID: CVE-2009-3111
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A remote attacker may terminate the operation of the RADIUS service
Description: An issue exists in FreeRADIUS in the handling of Access-Request messages. A remote attacker may cause the RADIUS service to terminate by sending an Access-Request message containing a Tunnel-Password attribute with a zero-length attribute value. After any unexpected termination, the RADIUS service will be automatically restarted. This update addresses the issue through improved validation of zero-length attributes. This issue does not affect Mac OS X v10.6 systems.

Screen Sharing
CVE-ID: CVE-2009-2839
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Accessing a malicious VNC server may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in the Screen Sharing client. Accessing a malicious VNC server, such as by opening a vnc:// URL, may cause an unexpected application termination or arbitrary code execution. This update addresses the issues through improved memory handling. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

Spotlight
CVE-ID: CVE-2009-2840
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A local user may manipulate files with the privileges of another user
Description: An insecure file operation exists in Spotlight's handling of temporary files. This could allow a local user to overwrite files with the privileges of another user. This update addresses the issue through improved handling of temporary files. This issue does not affect Mac OS X v10.6 systems. Credit: Apple.

Subversion
CVE-ID: CVE-2009-2411
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 and v10.6.1, Mac OS X Server v10.6 and v10.6.1
Impact: Accessing a Subversion repository may lead to an unexpected application termination or arbitrary code execution
Description: Multiple heap buffer overflows in Subversion may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues by updating Subversion to version 1.6.5 for Mac OS X v10.6 systems, and by applying the Subversion patches for Mac OS X v10.5.8 systems. Further information is available via the Subversion web site at http://subversion.tigris.org/

I ordered extra Ram on my iMacs...

Had you installed Snow Leopard or downloaded this new fix?

I have a 15” MacBook Pro that’s a little over 3 years old, and would probably opt for a 17” next time if the weight is manageable. But mine is performing without any problems.

Will do the same. Thanks.

Crossing fingers they can fix my current one. If not, will probably spend the few extra dollars and the the 17 inch.

Apple has very reasonable repair policies. My son’s G4 PowerBook, age 5+, developed a screen issue. A total rebuild (involving fixing anything that’s found to be subpar) had a flat fee of something like $325. Your newer machine shouldn’t be much more. If you like your machine, that’d be a great way to get it back, assuming one of the Apple Store Geniuses can’t fix it right then and there.

On the other hand, the current crop of Mac laptops is super delectable. I would not fault you for upgrading. I’m sorely tempted myself... but am holding out for quad-core.

If it has to be replaced, anything I should make sure the new Mac has? Should I replace it with 17 vs 15?

My thoughts: Don't buy memory upgrades from Apple. Too expensive. Buy a minimal RAM configuration using one socket if you can and then upgrade with Crucial or other top line RAM supplier.

I would not upgrade to a 17" laptop... I have enough trouble toting around the weight of my 15"! I know they are lighter now, but a 17 is always at least one pound heavier than a 15" and after schlepping one around an airport in a hurry to catch a connecting flight, that pound gets heavier and heavier... at my age, I would seriously be considering the 13"... it's a pound lighter than the 15"

No didn’t install. Was not on Leopard. Had the old system.

First time it’s ever given me any problems.

Agree about the weight.

Thanks for input. I’m currently in Asia. So hoping the Mac guys here can fix it or ship it to be fixed. No Apple store here, just authorized dealers.

The 325. you paid to repair seems very resonable. Would be great if they could fix it here.

Pardon my ignorance, but when is the quad-core expected?

I prefer the flat screen over the glossy one. I think it’s only available on the 15 inch.

No Snow Leopard for me. I have a perfectly good PowerMac and I think I’ll keep the same OS on that and the MBP.

I’m always trying to lighten the load of my backpack. Never seems to work. LOL

Great advice on upgrading RAM outside of MAC. Will ask supplier here what is recommended.

Anyone else having problems installing the update?

No problem on the installation.

So far so good.

The current Macbook Pros come with 4gb ram...

Thanks. Just read that too. That should be enough, right?

"Should I replace it with 17 vs 15?"

~~~~~

I have (and constantly use) both 15 & 17" MacBook Pros -- and the 17" has the 1920 X 1200 pixel ultra-resolution display. Some "+/-" points to consider about the 17" MBP:

+ The Utra-res screen allows me to run two full-sized pages side-by-side. Right now I have the FR "My Comments" page on the left (with the "Forum" page "behind" it), and FR's "slave" screen for the selected thread on the right. That is a real convenience.
- The higher resolution for a given screen size, the smaller everything (including text) appears. Today's my 72nd birthday, and I am finding that some smaller online font sizes are getting hard to read on the UHR 17". Fortunately, the Multi-Touch keypad allow you to "zoom in" with a "pinch out" gesture -- and Safari has a text-size tool you can add to the menu bar.
- the 17" MBP is definitely chunkier to carry around. Sometimes when I'm sliding it out of the case, it feels like it wants to slip out of my fingers.
- (...a point not often discussed...) The 17" probably will not fit your 15" carrying case, and all the 17" cases I have seen are much bigger, heavier, and clunkier. For traveling, my 15" with its sleek Targus soft leather case is much nicer.
+ I am a cartographer mapmaker) who does lots of GIS work making composites of overhead imagery with map feature overlays. The ultra-res 17" works great for my purposes -- and the LED backlighting allows me to work in the field doing archaeological surveying with GPS coordinates, waypoints, and routes displayed live, on a georeferenced map/aerial image. Nice!
- I do lots of "PowerPoint-like" presentations (directly from Canvas) using video projectors. Projector technology seems to lag behind laptop display sizes, aspect ratios and resolutions. I have to "throttle back" to using less than the full capability of the 17" UHR MBP screen (smaller page sizes) -- because most projectors you encounter will not match the resolution or aspect ratio -- or both... The 15" seems to "match up better" with more common projectors.

~~~~~~~~~~

The 15" MBP is, for me, my "all purpose tool". The 17" serves more specialized needs..

...just $.02 from a guy who started with a 16K Apple ][+ -- with a Radio Shack cassette tape for a "hard drive -- and who is very happy with both sizes of MacBook Pros... '-)

Apple releases Mac OS X 10.6.2

About the Mac OS X v10.6.2 Update

Summary

Products Affected

About Security Update 2009-006 / Mac OS X v10.6.2

Summary

Products Affected

Security Update 2009-006 / Mac OS X v10.6.2