Establishing Digital Trust: Don't Sacrifice Security for Convenience
Apple has patched its Mac 10.5 Leopard for the second time in its young life. Meanwhile, its older sibling, Mac OS 10.4 Tiger, will also get its share of fixes.
In total, the vulnerabilities are serious enough that the United States Computer Emergency Readiness Team (US-CERT) has issued a Technical Cyber Security Alert.
"The impacts of these vulnerabilities vary," US-CERT's alert states. "Potential consequences include arbitrary code execution, sensitive information disclosure, and denial of service."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iAmong the fixes for Tiger is a patch for Service Location Protocol, or SLP (define), which was at risk from stack buffer overflow. Apple admits in its advisory that the issue was first reported more than a year ago as part of January 2007's Month of Apple Bugs.
Though the issue is a long-standing one, the actual impact of the bug is relatively limited. Apple notes that if a hacker exploits the flaw, a local user may be able to take advantage by executing arbitrary code with system privileges.
Tiger also gets a fix for an issue with its Mail application.
"An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message," Apple's advisory states.
Apple's fix for Mail is simple: Don't launch the file on click -- just show the location of the file.
For Leopard, Apple has fixed a critical memory-corruption issue that affects its Safari Web browser. If a user visits a specially constructed URL, arbitrary code execution or a system crash could result.
Apple has fixed the issued in 10.5.2 by using additional URL validations.
The Leopard update also includes a fix for Apple's parental controls, which is supposed to limit access based on specified settings. The flaw does not lead to arbitrary code execution but rather to an involuntary information disclosure to Apple.