Apple Patches Flawed Leopard, Tiger Mac OS Leopard 10.5.2 Update Debuts with 11 Security Fixes Sean Michael Kerner
Apple has patched its Mac 10.5 Leopard for the second time in its young life as part of a 10.5.2 update release. Meanwhile, its older sibling, Mac OS 10.4 Tiger, will also get its share of fixes.
In total, the vulnerabilities are serious enough that the United States Computer Emergency Readiness Team (US-CERT) has issued a Technical Cyber Security Alert.
"The impacts of these vulnerabilities vary," US-CERT's alert states. "Potential consequences include arbitrary code execution, sensitive information disclosure, and denial of service."
Among the fixes for Tiger is a patch for Service Location Protocol, or SLP (define), which was at risk from stack buffer overflow. Apple admits in its advisory that the issue was first reported more than a year ago as part of January 2007's Month of Apple Bugs.
Though the issue is a long-standing one, the actual impact of the bug is relatively limited. Apple notes that if a hacker exploits the flaw, a local user may be able to take advantage by executing arbitrary code with system privileges.
Tiger also gets a fix for an issue with its Mail application.
"An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message," Apple's advisory states.
Apple's fix for Mail is simple: Don't launch the file on click — just show the location of the file.
For Leopard, Apple has fixed a critical memory-corruption issue that affects its Safari Web browser. If a user visits a specially constructed URL, arbitrary code execution or a system crash could result.
Apple has fixed the issued in 10.5.2 by using additional URL validations.
The Leopard update also includes a fix for Apple's parental controls, which is supposed to limit access based on specified settings. The flaw does not lead to arbitrary code execution but rather to an involuntary information disclosure to Apple.
"When set to manage Web content, the parental controls will inadvertently contact www.apple.com when a Web site is unblocked," Apple states in its advisory. "This allows a remote user to detect the machines running Parental Controls."
In addition to issues for which Apple holds responsibility, the fixes resolve problems in X.org's open source X11 graphical user interface.
One fix for Samba is a critical open source technology that allows Windows print and file sharing on Unix-based operating systems.
The 10.5.2 update is the first for the core Leopard OS since December, when 10.5.1 plugged some 31 security vulnerabilities.
Earlier this month Apple patched its often-attacked QuickTime media player, fixing a media-streaming protocol issue unresolved in its January Quicktime 7.4 update.
