Apple has released a sweeping patch update for Mac OS X that bumps the OS to 10.6.3 while also offering updates for the older 10.5.8 release of its operating system, as well.
The vulnerabilities range in severity from information disclosure and Denial of Service (DoS) to Cross-Site Scripting (XSS) flaws. Security rating firm Secunia has rated the entire update as "highly critical."
The total OS X security fix list includes both the desktop and server versions of OS X. One of the most innocuous-sounding updates in this security release from Apple is for a security vulnerability fix in OS X 10.5.8 coming from a spell-checking vulnerability.
"A buffer overflow exists in the spell-checking feature used by Cocoa applications," Apple stated in its advisory. "Spell checking a maliciously crafted document may lead to an unexpected application termination or arbitrary code execution."
Audio was also at risk from multiple security exploits. A pair of updates for OS X 10.6.2 fix vulnerabilities in Apple's Core Audio application. According to Apple, simply playing a maliciously crafted audio file could potentially have led to arbitrary code execution on the user's computer.
Watching a video file also could have left Mac users at risk, thanks to vulnerabilities in Apple's Core Media engine and its Quick Time media player. With 10.6.2, Apple is fixing a buffer overflow condition in the way that Core Media handles an H.263-encoded movie file.
For QuickTime, Apple has include nine separate advisories as part of the update to 10.6.2. The QuickTime issues fixed by Apple include fixes to protect against handling errors with a number of encoding formats: H.263, H.261, H.264, Sorenson, MPEG, FLC, FlashPix, M-JPEG, and RLE.
Viewing images on a Mac also potentially could have led to a user's system being exploited. Apple's ImageIO image rendering system is being patched for at least four different vulnerabilities. A buffer overflow problem in how OS X handles JP2 images has also been fixed in the update. Likewise, Apple has also addressed a memory corruption issue in the handling of TIFF images in the update.
User privacy, Safari security at risk
The other two ImageIO vulnerabilities have direct impact on Apple's Safari Web browser. A memory access issue related to TIFF images could have potentially enabled an attacker to send data from Safari's memory to a malicious Web site. Thanks to the update, a similar potential vulnerability has been fixed with BMP images, as well.
Apple has also updated a number of open source applications that it includes with OS X. Among the updated applications are the Apache Tomcat Java server, ClamAV antivirus, CUPS printer server, and the MySQL database. The open source perl, PHP, and Ruby languages have also been updated to the latest version to fix multiple vulnerabilities.
In addition to the security fixes, Apple is including bug and reliability improvements as part of the 10.6.3 release. Reliability improvements have been made for printing, photo screen savers, third-party USB devices, and wireless connections.
The 10.6.3 update is the first major update to the OS X 10.6 "Snow Leopard" release since the 10.6.2 update in November 2009.