Apple fixed 18 security flaws in the latest update to its Mac OS X operating system. Several of the bugs are tied to the handling of images.
Apple has pushed out an upgrade for Mac OS X that plugs 18 security holes, among them a series of critical bugs tied to the handling of various image formats. The update, which
brings the OS to version 10.5.8, fixes a number of issues related to
ImageIO's handling of OpenEXR images, EXIF metadata andPNGimages. Apple also patched a stack buffer overflow that exists in the way Image RAW handles Canon RAW images.
All totaled, there were six vulnerabilities affecting the different image file formats. According to Apple's advisory, all of which can be exploited by getting users to view malicious images.
The update also
addresses two issues affecting Apple's Safari browser. The first is a
flaw in the CFNetwork that could allow a malicious Website to control
the displayed Website URL in a certificate warning. "When Safari
reaches a Website via a 302 redirection and a certificate warning is
displayed, the warning will contain the original Website URL instead of
the current Website URL," according to Apple. "This may allow a
maliciously crafted Website that is reached via an open redirector on a
user-trusted Website to control the displayed Website URL in a
certificate warning." In addition, the
update extends the system's list of content types that will be flagged
as potentially unsafe under certain circumstances, for example, if they
are downloaded from a Web page. While these content types are not
automatically launched, if manually opened they could lead to the