Apple releases security updates for Leopard, Tiger

Apple today released 11 security updates for Mac OS X, with many of the updates specific to the newly-released Leopard operating system. The Security Update 2008-001 is the first from Apple for 2008. The applications affected include Time Machine, Mail, and Parental Controls. The update can be downloaded and installed via Software Update preferences, or from Apple Downloads.

Directory Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerability in CVE-2007-0355. Apple says, "A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges." Apple credits Kevin Finisterre of Netragard for reporting this vulnerability.

Foundation
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0035. An affected user accessing a maliciously crafted URL may experience an application termination or arbitrary code execution. A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. Apple notes that this issue does not affect systems prior to Mac OS X v10.5.

Launch Services
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0038. A removed application may still be launched via the Time Machine backup. Apple says, "Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup." Apple credits Steven Fisher of Discovery Software and Ian Coutier for reporting this vulnerability.

Mail
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerability in CVE-2008-0039. Affected users accessing a URL in a message may experience an arbitrary code execution. Apple says, "An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This issue does not affect systems running Mac OS X v10.5 or later.

NFS
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0040. A remote attacker may cause an unexpected system shutdown or arbitrary code execution if the system is being used as an NFS client or server. Apple says, "A memory corruption issue exists in NFS' handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution." This issue does not affect systems running Mac OS X v10.5 or later. Apple credits Oleg Drokin of Sun Microsystems for reporting this issue.

Open Directory
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.4.11 Server. No CVE number is given. An affected user may find that NTLM authentication requests may always fail. Apple says, "This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory."

Parental Controls
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0041. Affected users may find that requesting to unblock a Web site leads to information disclosure. Apple says, "When set to manage Web content, Parental Controls will inadvertently contact www.apple.com when a Web site is unblocked. This allows a remote user to detect the machines running Parental Controls." Apple credits Jesse Pearson for reporting this issue.

Samba
This patch affects users of Mac OS X v10.4.11, v10.5, and v10.5.1 and Mac OS X Server v10.4.11, v10.5, and v10.5.1. The patch addresses the vulnerability in CVE-2007-6015. A remote attacker may cause an unexpected application termination or arbitrary code execution. Apple says, "A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow 'domain logons,' an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.

Terminal
This patch affects users of Mac OS X v10.4.11, v10.5, and v10.5.1 and Mac OS X Server v10.4.11, v10.5, and v10.5.1. The update addresses the vulnerability in CVE-2008-0042. Affected users viewing a maliciously crafted Web page may experience arbitrary code execution. Apple says, "An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted Web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution." Apple credits Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.

X11
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2007-4568. Apple says, "Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution."

X11
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0037. An affected user may find that changing the settings in the Security Preferences Panel has no effect. Apple says, "The X11 server is not reading correctly its 'Allow connections from network client' preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off." This issue does not affect systems prior to Mac OS X v10.5.