Apple Patches Flaws in Mac OS X
A security alert warns of 'extremely critical' security vulnerabilities and Apple urges users to upgrade to the new Mac OS X 10.2.5.
has released an update of its flagship Mac OS X operating system to fix seven serious security holes that could leak sensitive information and lead to DoS and system access attacks.
Apple pushed out the new version -- Mac OS X 10.2.5 -- after security research firm @Stake warned warned of known holes in the operating system's implementations of OpenSSL, Apache Server, Sendmail and Samba and two new vulnerabilities in the DirectoryService that can cause a denial-of-service.
A vulnerability alert from Secunia tagged the security holes with an "extremely critical" rating, especially because of the known Sendmail flaw that could allow an attacker to gain control of a unpatched Sendmail server.
In urging all users to upgrade to the latest Mac OS X 10.2.5 release, Apple said the previous versions contained an information disclosure vulnerability in OpenSSL that can be exploited by intruders to gain knowledge of the pre-master secret, which can be used to identify the session keys used during SSL/TLS sessions.
It also plugs an exceptional handling error issue in the Apache Server which can lead to denial-of-service attacks if an attacker sends multiple HTTP requests, which include large chunks of linefeeds.
The new holes, in DirectoryServices, leaves the Mac OS X susceptible to several attacks, ultimately allowing a local user to obtain root privileges. "In order for an attacker to exploit this vulnerability, they must first cause DirectoryServices to terminate. This can be done by simply connecting to port 625 repeatedly using an automated program," @Stake warned.
The fixed version of the Mac OS X is available here.
Apple also announced that the new version has been jazzed up to include Bluetooth support for Nokia 7650 and P800 phones. The operating system's Bluetooth Setup Assistant will also work with certain Microsoft keyboards and mouse devices and adds Image Capture support for Canon EOS 10D, ZR65, and ZR 70 cameras, the company said.
Mac OS X 10.2.5 also adds disc burning support for several devices and improves Mail's selection of character encoding for messages sent in some foreign languages. It also promises improved reliability of AppleEvents traffic (inter-application communication) between software running in the Classic environment and native Mac OS X.