Apple patches 18 Mac vulnerabilities, ships OS X 10.5.8

Fixes flaws in six critical image file bugs hackers could use to snatch Macs

Apple on Wednesday patched 18 vulnerabilities in Mac OS X, including half a dozen that could let hackers hijack machines by duping users into viewing malicious image files on the Web.

Security Update 2009-003, which was distributed along with Mac OS X 10.5.8 for Leopard users and delivered separately to Tiger users, plugged holes in components ranging from ColorSync and Dock to the kernel and MobileMe, Apple's for-pay sync and storage service.

But it was the six vulnerabilities in various image file formats that caught the eye of Andrew Storms, director of security operations at nCircle Network Security.

"The PNG [Portable Network Graphics] bug is the most interesting," said Storms of the half-dozen image file flaws. "It's a pervasive format that's frequently on Web sites," he added, noting that attackers could trigger the bug simply by getting users to visit malicious sites, a common tactic in the Windows hacker world.

"It's easy enough to host one of these malicious files on [a hacker's] Web site," Storms added.

Apple patched four flaws in the ImageIO component of the Mac's operating system related to its handling of OpenEXR images, a format developed by Lucasfilm's Industrial Light and Magic visual effects studio in 1999 and released to open-source four years later. The sixth image vulnerability, also in ImageIO, could be exploited by malformed Canon RAW photographic files.

Today's security release was Apple's smallest this year by vulnerability count. In May, for example, the California-based computer company quashed 67 bugs, while February's security update patched 55.

Storms saw other oddities this time around. "Usually, we see a lot of Safari or WebKit vulnerabilities, or bugs in a lot of third-party components," he said. "Today, we got neither."

Two of the bugs Apple called out in its advisory affect Safari, but the flaws are not actually found in the browser. And with the exception of one vulnerability in the "bzip2" open-source data-compressor, all of today's bugs were within Apple's own code.

Storms also called attention to the MobileMe vulnerability, which, although not serious, could be used by unscrupulous friends or co-workers to access someone's account. "A logic issue exists in the MobileMe preference pane," Apple said in the advisory. "Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account."

"This one's important only because MobileMe is such a big application for Apple," argued Storms.

More than half of the vulnerabilities -- 10 of the 18 -- were labeled with Apple's "arbitrary code execution" phrase, meaning the flaws are critical and could be exploited to compromise a Mac. Unlike other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.

Most of the bugs were specific to Leopard; the older Mac OS X 10.4, aka Tiger, only harbored seven vulnerabilities.

"Tiger users should be happy that they're still getting bug fixes," said Storms, referring to Apple's general policy of discontinuing support shortly after the second successive OS upgrade makes it to market. Apple plans to release Mac OS 10.6, dubbed Snow Leopard, in September.

Based on Apple's past performance, Storms expects to see one, at the most two, security updates for Tiger after Snow Leopard ships before Apple calls it quits.

Apple bundled the security patches with Mac OS X 10.5.8, Leopard's latest update. Included with the update were Safari 4.0.2 -- Apple unveiled that separately at June's Worldwide Developers Conference -- as well as stability improvements to AirPort and reliability tweaks to Bluetooth.

The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, but should instead look for the Mac OS X 10.5.8 update.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags AppleMac OS X

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?