Back to Mobile View

Skip to Content

TUAW Deals

Update love for the Tiger crowd: Security Update 2008-001

Want the security goodness of 10.5.2 in a familiar, Tiger-iffic package? You want the new, much improved Security Update 2008-001, available now for client and server versions of 10.4.11. The update includes fixes for URL vulnerabilities in Mail, Terminal and Safari, patches for Parental Controls and X11, and more -- full list after the break.

You can find this update in Software Update or download direct from Apple. Happy patching!

Mac OS X v10.5.2 / Security Update 2008-001

  • Directory Services

    CVE-ID: CVE-2007-0355

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.

  • Foundation

    CVE-ID: CVE-2008-0035

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution

    Description: A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.5.

  • Launch Services

    CVE-ID: CVE-2008-0038

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: An application removed from the system may still be launched via the Time Machine backup

    Description: Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup. This update addresses the issue by not allowing applications to be launched directly from a Time Machine backup. This issue does not affect systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery Software Ltd. and Ian Coutier for reporting this issue.

  • Mail

    CVE-ID: CVE-2008-0039

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Accessing a URL in a message may lead to arbitrary code execution

    Description: An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This update addresses the issue by displaying the location of the file in Finder rather than launching it. This issue does not affect systems running Mac OS X v10.5 or later.

  • NFS

    CVE-ID: CVE-2008-0040

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: If the system is being used as an NFS client or server, a remote attacker may cause an unexpected system shutdown or arbitrary code execution

    Description: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.

  • Open Directory

    Available for: Mac OS X v10.4.11, Mac OS X v10.4.11 Server

    Impact: NTLM authentication requests may always fail

    Description: This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This update addresses the issue by correcting the race condition that could terminate winbindd. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory.

  • Parental Controls

    CVE-ID: CVE-2008-0041

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Requesting to unblock a website leads to information disclosure

    Description: When set to manage web content, Parental Controls will inadvertently contact www.apple.com when a website is unblocked. This allows a remote user to detect the machines running Parental Controls. This update addresses the issue by removing the outgoing network traffic when a website is unblocked. This issue does not affect systems prior to Mac OS X v10.5. Credit to Jesse Pearson for reporting this issue.

  • Samba

    CVE-ID: CVE-2007-6015

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow "domain logons", an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected. This update addresses the issue by applying the Samba patch. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html Credit to Alin Rad Pop of Secunia Research for reporting this issue.

  • Terminal

    CVE-ID: CVE-2008-0042

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved validation of URLs. Credit to Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.

  • X11

    CVE-ID: CVE-2007-4568

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Multiple Vulnerabilities exist in X11 X Font Server (XFS) 1.0.4

    Description: Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

  • X11

    CVE-ID: CVE-2008-0037

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Changing the settings in the Security Preferences Panel has no effect

    Description: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.

© 2014 AOL Inc. All Rights Reserved.