Apple Patches Flawed Leopard, Tiger
US-CERT issues Technical Security Alert as Apple updates its operating systems with 11 patches.
Apple has patched its Mac 10.5 Leopard for the second time in its young life. Meanwhile, its older sibling, Mac OS 10.4 Tiger, will also get its share of fixes.
In total, the vulnerabilities are serious enough that the United States Computer Emergency Readiness Team (US-CERT) has issued a Technical Cyber Security Alert.
"The impacts of these vulnerabilities vary," US-CERT's alert states. "Potential consequences include arbitrary code execution, sensitive information disclosure, and denial of service."
Though the issue is a long-standing one, the actual impact of the bug is relatively limited. Apple notes that if a hacker exploits the flaw, a local user may be able to take advantage by executing arbitrary code with system privileges.
Tiger also gets a fix for an issue with its Mail application.
"An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message," Apple's advisory states.
Apple's fix for Mail is simple: Don't launch the file on click -- just show the location of the file.
For Leopard, Apple has fixed a critical memory-corruption issue that affects its Safari Web browser. If a user visits a specially constructed URL, arbitrary code execution or a system crash could result.
Apple has fixed the issued in 10.5.2 by using additional URL validations.
The Leopard update also includes a fix for Apple's parental controls, which is supposed to limit access based on specified settings. The flaw does not lead to arbitrary code execution but rather to an involuntary information disclosure to Apple.