Skip to Content

Apple releases Security Update 2008-007

by Cory Bohon Oct 9th 2008 at 6:00PM


Apple released Security Update 2008-007 for Mac OS X Leopard and Tiger users today. The update addresses many specific areas of the Mac OS, including: Apache, ClamAV, CUPS, Finder, and more. A full list of the areas affected by the update can be found on the Apple support website. The update is available for the following systems:
You can get the update by downloading the installer package from the Apple support website, or by opening Software Update (Apple menu > Software Update).

Continue reading for a change log for this update.

Security Update 2008-007

  • Apache

    CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Multiple vulnerabilities in Apache 2.2.8

    Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

  • Certificates

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Root certificates have been updated

    Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

  • ClamAV

    CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914

    Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

    Impact: Multiple vulnerabilities in ClamAV 0.93.3

    Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems. Further information is available via the ClamAV website at http://www.clamav.net/

  • ColorSync

    CVE-ID: CVE-2008-3642

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. Credit: Apple.

  • CUPS

    CVE-ID: CVE-2008-3641

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user

    Description: A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges. This update addresses the issue by performing additional bounds checking. Credit to regenrecht working with TippingPoint's Zero Day Initiative for reporting this issue.

  • Finder

    CVE-ID: CVE-2008-3643

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: A file on the Desktop may lead to a denial of service

    Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

  • launchd

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Applications may fail to enter a sandbox when requested

    Description: This update addresses an issue introduced in Mac OS X v10.5.5. An implementation issue in launchd may cause an application's request to enter a sandbox to fail. This issue does not affect programs that use the documented sandbox_init API. This update addresses the issue by providing an updated version of launchd. This issue does not affect systems prior to Mac OS X v10.5.5.

  • libxslt

    CVE-ID: CVE-2008-1767

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.

  • MySQL Server

    CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079

    Available for: Mac OS X Server v10.5.5

    Impact: Multiple vulnerabilities in MySQL 5.0.45

    Description: MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html

  • Networking

    CVE-ID: CVE-2008-3645

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: A local user may obtain system privileges

    Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.

  • PHP

    CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

    Impact: Multiple vulnerabilities in PHP 4.4.8

    Description: PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

  • Postfix

    CVE-ID: CVE-2008-3646

    Available for: Mac OS X v10.5.5

    Impact: A remote attacker may be able to send mail directly to local users

    Description: An issue exists in the Postfix configuration files. For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network. During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol. This issue does not cause the system to be an open mail relay. This issue is addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines. This issue does not affect systems prior to Mac OS X v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson for reporting this issue.

  • PSNormalizer

    CVE-ID: CVE-2008-3647

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PostScript files. Credit: Apple.

  • QuickLook

    CVE-ID: CVE-2008-4211

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution

    Description: A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Microsoft Excel files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

  • rlogin

    CVE-ID: CVE-2008-4212

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login

    Description: The manpage for the configuration file hosts.equiv indicates that entries do not apply to root. However, an implementation issue in rlogind causes these entries to also apply to root. This update addresses the issue by properly disallowing rlogin from the root user if the remote system is in hosts.equiv. The rlogin service is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. Credit to Ralf Meyer for reporting this issue.

  • Script Editor

    CVE-ID: CVE-2008-4214

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: A local user may gain the privileges of another user that is using Script Editor

    Description: An insecure file operation issue exists in the Script Editor application when opening application scripting dictionaries. A local user can cause the scripting dictionary to be written to an arbitrary path accessible by the user that is running the application. This update addresses the issue by creating the temporary file in a secure location. Credit: Apple.

  • Single Sign-On

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: The sso_util command now accepts passwords from a file

    Description: The sso_util command now accepts passwords from a file named in the SSO_PASSWD_PATH environment variable. This enables automated scripts to use sso_util more securely.

  • Tomcat

    CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461

    Available for: Mac OS X Server v10.5.5

    Impact: Multiple vulnerabilities in Tomcat 6.0.14

    Description: Tomcat on Mac OS X v10.5 systems is updated to version 6.0.18 to address several vulnerabilities, the most serious of which may lead to a cross site scripting attack. These issues only affect Mac OS X Server systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

  • vim

    CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294

    Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

    Impact: Multiple vulnerabilities in vim 7.0

    Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/

  • Weblog

    CVE-ID: CVE-2008-4215

    Available for: Mac OS X Server v10.4.11

    Impact: Access control on weblog postings may not be enforced

    Description: An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X Server v10.4. Credit: Apple.



View Tags

Related Stories

Categories

Software Update Security

Apple released Security Update 2008-007 for Mac OS X Leopard and Tiger users today. The update addresses many specific areas of the Mac...
 

Add a Comment

Sign in »
*0 / 3000 Character Maximum

28 Comments

Filter by:
Donna

Since installing this update, word, excel and powerpoint all crash upon opening. Since it looks like all of you installed about a month before me, I wonder why apple hasn't come up with a patch to fix all these things yet? I'm not even close to being a computer genius so I don't know how to fix it and I can't work without these programs!! aRg...

November 05 2008 at 3:28 PM Report abuse rate up rate down Reply
Dan Morgan

Just installed it today on a PB G4 1.5. First my anti-virus went crazy, then after a shutdown and boot (and ever since) the syslogd process keeps ramping up the CPU to 100% - usually a Time Machine issue, but I've never run it.

October 29 2008 at 3:35 AM Report abuse rate up rate down Reply
Larry

We have a bunch of Intel Minis (OS 10.4.11), and recently several are crashing/restarting intermittently, I thought it was the new RAM or temperature but now even older ones are now doing it, I think it was that update.

Tried AppleJack, didn't resolve it - just recently I did SMC resets to see if that helps *sigh*.

October 27 2008 at 2:51 PM Report abuse rate up rate down Reply
Gilbert

Security Patch 2008-007 locked 3 out of 4 of my drives to Read Only mode including the main production disk AND the Time Machine Backup disk. So much for having a secure backup copy before conducting upgrades eh?

Multiple reboots later - users still cannot do anything because they don't have permission to the disks. Well, to be fair by nothing I mean they can't take any action which creates, deletes, or modifies files or folders - like opening Mail or opening Address book Strangely Calendar can be opened - but no new events can even be created let alone saved.

- Yes, I have attempted to run Verify Permissions - but the option is Grayed Out.
- Yes, I have run Verify Disks (report all OK)
- Yes, I have looked in the Get Info panel, it reports users have all types and combinations of permissions.
- Yes, I have contacted Apple. Their response was to Run Verify Disk from the Leopard Install DVD and call them back if it failed - they are now closed.
- Yes, I have logged in as Root and tried Get Info. Even as the SU, all the Get Info panel options to unlock the drives, add users etc are grayed out.



October 24 2008 at 11:02 PM Report abuse rate up rate down Reply
Debra

I installed this on both my PowerBook G4 and G5 Power PC. Both were running OS 10.4.11. The first, I couldn't connect to the internet using my Powerbook, which connects through AirPort. My router was working fine and so was my modem, so I tried checking my network settings. I kept getting this message "Your network settings have been changed by another application.” I'd click on the okay button, but it would just keep coming back. The only way to get rid of it was to force quit. If you are having this problem, go to your Security Preferences and check the box that says "Require password to unlock each secure system preference.

I still couldn't access the internet or my email. Ultimately, I discovered that a master password had been assigned to my Keychain. I assume this happened during the installation of the SU and through the process of getting my desktop to work, I also assumed that this was linked to my inability get internet access or email. I tried every password I'd ever used and nothing worked. I found these directions to change the password. Go to the User Library and throw away the folder named Keychain. Restart and a new Keychain password will be created using your administrator password.

I did these two things to my laptop and had it working as usual in a matter of minutes. To fix the desktop I actually installed Leopard, but still had to do the Keychain fix.

October 23 2008 at 6:05 AM Report abuse rate up rate down Reply
Azam

MB Pro crashed three times after recent update 2008-007 (post 10.5.5) released first week of october.

Twice frozen and once crashed with kernal panic. When it froze, after restart it didn't give me "submit report to apple" option.

Did anybody notice or something wrong on my MB pro, techtool pro found no problem.

here is the last report when i was able to submit report to apple:

------------------------------------------------------------
Mon Oct 13 19:16:24 2008
panic(cpu 1 caller 0x001A8CEC): Kernel trap at 0x0022fb97, type 14=page fault, registers:
CR0: 0x80010033, CR2: 0x00033dcc, CR3: 0x01401000, CR4: 0x00000660
EAX: 0x00000594, EBX: 0x00033d80, ECX: 0x00000fff, EDX: 0x46bb4004
CR2: 0x00033dcc, EBP: 0x5b98bde8, ESI: 0x6bb6d859, EDI: 0x0000c7c5
EFL: 0x00010202, EIP: 0x0022fb97, CS: 0x00000008, DS: 0x07140010
Error code: 0x00000000

Backtrace (CPU 1), Frame : Return Address (4 potential args on stack)
0x5b98bbd8 : 0x12b0fa (0x459234 0x5b98bc0c 0x133243 0x0)
0x5b98bc28 : 0x1a8cec (0x4627a0 0x22fb97 0xe 0x461f50)
0x5b98bd08 : 0x19eed5 (0x5b98bd20 0x6ed9d04 0x5b98bde8 0x22fb97)
0x5b98bd18 : 0x22fb97 (0xe 0xad90048 0x5b980010 0x220010)
0x5b98bde8 : 0x24d0cd (0x553200 0x6bb6d859 0xbc33 0x7801a8c0)
0x5b98be48 : 0x24d3f6 (0xad9d000 0x0 0x5b98be98 0x3a564e)
0x5b98be58 : 0x3a564e (0xad9d000 0x5b98bed8 0x70b5e40 0x5b98bed8)
0x5b98be98 : 0x3acdd1 (0xad9d000 0x5b98bed8 0x0 0x1)
0x5b98bf78 : 0x3ddd6e (0x70b5e40 0x8847c20 0x8847c64 0xbfffe7f0)
0x5b98bfc8 : 0x19f3b3 (0x855a640 0x1 0x1a20b5 0x9396c60)
No mapping exists for frame pointer
Backtrace terminated-invalid frame pointer 0xb00bbc88

BSD process name corresponding to current thread: Transmission

Mac OS version:
9F33

Kernel version:
Darwin Kernel Version 9.5.0: Wed Sep 3 11:29:43 PDT 2008; root:xnu-1228.7.58~1/RELEASE_I386
System model name: MacBookPro3,1 (Mac-F42388C8)

October 14 2008 at 12:07 AM Report abuse rate up rate down Reply
Cory

After installing this patch, my video playback (from all sources--QT, iTunes, web-based flash) is "jerky," decidedly not smooth.

For sound, there is absolutely no sound from the iMac speakers--not from iTunes, not from video, not even from the "feedback sound" when I adjust the sound level. The only way to play music from my iMac is to stream it through my AirPort Express.

I can blame it all on Security Update 2008-007.

October 11 2008 at 12:22 PM Report abuse rate up rate down Reply
2 replies to Cory's comment
Cory

As a follow up, I tried to start a game for my kids, and it wouldn't start because of "fatal error" with "macsoundz"

SU 2008-007 looks like a partial lemon.

October 11 2008 at 12:43 PM Report abuse rate up rate down Reply
Cory

Update: I shut the whole system down and left it for a couple of hours out of frustration.

I powered it back up, and everything is back to normal.

I think it odd the required reboot after the patch installation didn't fix what apparently the power on/power off did fix.

Color me confused, but relieved.

October 11 2008 at 3:27 PM Report abuse rate up rate down Reply
Lance Fiasconaro

Don't install this if you haven't done so already. Screensaver keeps crashing so that my MBP must be restarted via hard boot. I've also had several other strange kernel hangs in other applications such as Safari.

October 11 2008 at 11:42 AM Report abuse rate up rate down Reply
daven

So..... does this update fix Time Machine since they borked it with the first issue of 10.5.5?

October 10 2008 at 8:51 AM Report abuse rate up rate down Reply
Jash Sayani

My Apache config file is screwed !! Hope it gets fixed....

Any way to reset Apache..??

October 10 2008 at 7:47 AM Report abuse rate up rate down Reply
Buy an ad here

Hot Apps on TUAW

Tweets

© 2012 AOL Inc. All Rights Reserved.