Establishing Digital Trust: Don't Sacrifice Security for Convenience
Apple has released its first security fixes of 2010 for Mac OS 10.5 and 10.6, addressing a number of fixes in third-party code that Apple uses as part of its operating system.
One of those third-party items is Adobe's Flash Player plug-in, which is being updated to version 10.0.42 for Mac OS. Adobe's software, including Flash, is a frequent target for the security research community. As opposed to Windows, for which Microsoft's update mechanism does not include Adobe fixes, Apple includes Adobe updates as part of its security updating process. Apple takes a similar approach for Java updates as well, which was the reason for the last Apple security update in December 2009.
The company is also providing a fix for OpenSSL issues related to a potential man-in-the-middle attack scenario. The attack against SSL was first reported back in November.
"An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL," Apple noted in its advisory.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Apple's first 2010 update also includes a fix for a security issue in the Common Unix Printing System, better known as CUPS. (Apple's Mac OS has been Unix-certified since the Leopard release in 2007.)
"By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service," Apple stated in its advisory.
Apple is also fixing OS X for a pair of image-handling issues with its ImageIO and ImageRAW subsystems, whereby simply viewing a malicious image file could potentially lead to an arbitrary code execution.
Audio isn't spared in this first Apple update of 2010 either, with a security update for Mac OS X's Core Audio system.
"A buffer overflow exists in the handling of mp4 audio files," Apple stated in its advisory. "Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking."