Tuesday, December 16, 2008

Apple Patches 21 Vulnerabilities in OS X

On Monday, Apple released security updates for Mac OS X 10.4 and 10.5, client and server, bringing the products up to versions 10.4.11 and 10.5.5. The updates address 21 individual vulnerabilities, as measured by CVE numbers. 7 of the vulnerabilities are in the Adobe. Flash plug-in.
A wide variety of systems components are affected by the updates and many would be termed critical if Apple used severity ratings. For instance there is a CoreGraphics bug described as "Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution". There is probably at least one of these in each OS X update. At least some of the Flash vulnerabilities also could result in arbitrary code execution. Likewise, a series of updates to Libsystem fix bugs in various APIs that could result in arbitrary code execution.
None of the bugs is a real 5-alarmer where remote users can attack with no user interaction, and several are clearly less severe. But users should still update their systems ASAP.
Originally posted to PCmag.com's Security Watch blog.