Apple Update 2008-008 Patches 21 Security Vulnerabilities In OS X 10.5.6
Apple has issued updates for 21 security vulnerabilities in a wide range of software and services contained in the latest Mac operating system.
One of the flaws allow miscreants to remotely install malware on a machine with little or no action required by the user. Also patched vulnerabilities in Adobe Flash, which were disclosed more than a month ago and are being actively exploited in the wild. Apple also patched its own software for handling documents based on PDF, or portable document format.
Other software defects in BOM, (Bill of Materials), CoreGraphics, Libsystem, and other OS X components could also lead to the execution of malicious code. One vulnerability in Safari could allow attackers to steal cookies used to authenticate a user on a sensitive website while another allowed users to download potentially unsafe files without warning.
Security Update 2008-008 / Mac OS X v10.5.6 addresses the following issues:
ATS CVE-ID: CVE-2008-4236
Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service.BOM CVE-ID: CVE-2008-4217
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination.CoreGraphics CVE-ID: CVE-2008-3623
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.CoreServices CVE-ID: CVE-2008-3170
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Visiting a maliciously crafted website may lead to the disclosure of user credentials.CoreTypes CVE-ID: CVE-2008-4234
Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Attempting to launch unsafe downloaded content may not lead to a warning. This issue does not affect systems prior to Mac OS X v10.5.Flash Player Plug-in CVE-ID: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in. The issues are addressed by updating the Flash Player plug-in to version 9.0.151.0. Further information is available via the Adobe web site athttp://www.adobe.com/support/security/bulletins/apsb08-20.html
Kernel CVE-ID: CVE-2008-4218
Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: A local user may obtain system privileges. These issues do not affect PowerPC systems.Kernel CVE-ID: CVE-2008-4219
Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Running an executable that links dynamic libraries on an NFS share may lead to an unexpected system shutdown.Libsystem CVE-ID: CVE-2008-4220
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Applications that use the inet_net_pton API may be vulnerable to arbitrary code execution or an unexpected application termination. This update is provided to help mitigate potential attacks
against any application using this API.Libsystem CVE-ID: CVE-2008-4221
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Applications that use the strptime API may be vulnerable to arbitrary code execution or unexpected application termination.Libsystem CVE-ID: CVE-2008-1391
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Applications that use the strfmon API may be exposed to an unexpected application termination or arbitrary code execution.Managed Client CVE-ID: CVE-2008-4237
Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: The managed screen saver settings are not applied. This issue does not affect systems with built-in Ethernet.network_cmds CVE-ID: CVE-2008-4222
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: A remote attacker may be able to cause a denial of service if Internet Sharing is enabled.Podcast Producer CVE-ID: CVE-2008-4223
Available for: Mac OS X Server v10.5 through v10.5.5
Impact: A remote attacker may be able to access the administrative functions of Podcast Producer.UDF CVE-ID: CVE-2008-4224
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact: Opening an ISO file may lead to an unexpected system shutdown.
Security updates may be obtained from the Software Update pane in System Preferences, or Apple’s software downloads web site http://www.apple.com/support/downloads.
The large patch batch comes six days after Microsoft issued fixes for 28 vulnerabilities, the company’s biggest release in more than five years.
More on CyberInsecure:
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.