Apple Patches Critical OS X Flaws

 
 
By Matt Hines  |  Posted 2006-06-28
 
 
 
Apples latest version of its Mac OS X operating system, released June 27, promises to patch a series of serious security vulnerabilities that could allow hackers to take control of computers running the software.

The computer maker has forwarded Mac OS X Version 10.4.7 to its users, which addresses five individual security issues present in the operating system since its original 10.4 release. Earlier versions of OS X were not affected by the vulnerabilities, the company said. The update specifically addresses problems present in Mac OS X 10.4 through 10.4.6, as well as in Mac OS X Server 10.4 through 10.4.6.

Several security companies ranked the OS X glitches reported by Apple as critical, including Symantec in the United States and the French Security Incident Response Team. Apple representatives said that there have been no reported exploits related to the flaws.

With Mac OS X 10.4.7, Apple resolves many networking problems. Click here to read more.

The first problem detailed by Apple involves an error in the softwares AFP (AppleTalk Filing Protocol) server code, the client/server file-sharing protocol used in the companys AppleTalk networking technology. Present when the AFP server is being used to display search results, the company said the issue could be exploited remotely by outsiders to disclose the names of certain files and folders stored on machines running affected versions of the OS.

The second vulnerability reported by Apple addresses a stack overflow error in the OS X ImageIO feature, which is used for handling images. When being used to process malformed TIFF image files, systems running the program could have their desktop applications shut down or made vulnerable to attacks that use a specially crafted TIFF image to deliver themselves.

The third flaw addressed in the update is linked to an error in the OS X OpenLDAP server code that fails to properly handle invalid LDAP requests and could be remotely exploited to cause denial-of-service attacks, Apple said.

A fourth glitch that the computer maker claims to have fixed involves a format string error in the softwares setuid program known as "launchd" that may allow an authenticated local user to execute arbitrary code with system privileges. Apple said the issue is present in launchds logging facility.

The fifth and final vulnerability reported by Apple relates to an error in the OS X ClamAV anti-virus technology, which the company said could be allow attackers to execute arbitrary code. To do so, a hacker would need to trick an end user into downloading their virus signature from a malicious Web server, according to Apple.

Embraced by many users for its perceived security advantage over other operating systems such as Microsofts Windows, Apple has been forced to report a handful of security vulnerabilities discovered in OS X over the last several months. Most recently, the company released an updated version of the OS in March that promised to plug a dozen flaws.

That first security update from Apple for 2006 came less than a week after the release of exploit code for its Safari browser flaw and the discovery of two worms affecting Mac OS X users.

Check out eWEEK.coms for the latest news, reviews and analysis on Apple in the enterprise.

Rocket Fuel