Apple Ships Mac OS X Mega Update
Security Update 2008-002 covers scores of critical vulnerabilities that could lead to remote code execution attacks.
It's officially Patch Day in the land of the Mac.
On the heels of the release of Safari 3.1, with patches for more than a dozen browser vulnerabilities, Apple has shipped a mega update for its flagship Mac operating system, fixing at least 80 documented vulnerabilities in a wide range of core components.
The Security Update 2008-002, available for Mac OS X desktop and server, covers several critical issues that could lead to remote code execution attacks.
On the desktop side, the Foundation bug (CVE-2008-0059) appears to be the most serious. "Processing an X M L document may lead to an unexpected application termination or arbitrary code execution," Apple warns, noting that an attacker could use a booby-trapped X M L file to exploit a race condition in NSX M L.
On the server side, security experts are calling attention to a bunch of ClamAV and CUPS vulnerabilities that could cause remote compromise if mail or printer sharing is enabled.
The mega update addresses publicly known flaws in several open-source components-Apache, PHP, ClamAV, OpenSSH and Kerberos-and multiple holes in AppKit.
Other flawed components fixed with this update include Core Foundation, Core Services, curl, Emacs, Help Viewer, ImageRaw, mDNSResponder, Podcast Producer, Preview, Printing and System Configuration.