Apple Update 10.5.3 and Apple Security Update 2008-003
Last Updated: 2008-05-29 02:07:36 UTC
by Joel Esler (Version: 1)
Apple released a huge update today in 10.5.3, however, I'm only going to highlight the Security Portion of the update, 2008-003. Some of these are purely Apple updates, some are simply updates to the Open Source packages that Apple provides in it's Operating System.
Updates to the following modules were made:
AFP Server -- Files that are not designated for sharing may be accessed remotely.
Apache -- Multiple vulnerabilities in Apache 2.0.55, including cross-site scripting. Apache is updated to version 2.0.63 to address several vulnerabilities.
AppKit -- Maliciously crafted file, unexpected application termination, arbitrary code execution.
Apple Pixlet Video -- Vulnerability to unexpected application termination, arbitrary code execution.
ATS -- Vulnerability to arbitrary code execution
CFNetwork -- Vulnerability leading to disclosure of sensitive information
CoreFoundation -- Vulnerability leading to unexpected application termination or arbitrary code execution.
CoreGraphics -- Vulnerability that may lead to an unexpected application termination or arbitrary code execution.
CoreTypes -- Lack of prompting against opening "certain potentially unsafe content types" in Automator, Help, Safari, and Terminal.
CUPS -- Information disclosure.
Flash Player Plug-in -- Arbitrary code execution, Updating to version 22.214.171.124.
Help Viewer -- Vulnerability to application termination or arbitrary code execution.
iCal -- Vulnerability to unexpected application termination or arbitrary code execution.
International Components for Unicode -- Disclosure of sensitive information.
Image Capture -- Path traversal vulnerability.
ImageIO -- Out-of-bounds memory read leading to information disclosure, Multiple vulnerabilities in libpng version 1.2.18, and Vulnerability to unexpected application termination or arbitrary code execution.
Kernel -- Remote vulnerability to unexpected system shutdown due to undetected failure condition and Local user vulnerability to unexpected system shutdown due to mishandling of code signatures.
LoginWindow -- Race condition preventing MCX preferences being applied
Mail -- IPv6 vulnerability leading to unexpected application termination, information disclosure, or arbitrary code execution.
ruby -- Remote vulnerability, updated to version 1.1.4
Single Sign-On -- Password disclosure in sso_util
Wiki Server -- Remote vulnerability to information disclosure
Happy patching all! I've upgraded three systems here, and I've had no problems that I can tell so far.