Apple Computer Inc. has released a security update for its Mac OS X client and server software, plugging vulnerabilities in a wide range of services, including file sharing, printing and QuickTime. The update is the third set of patches offered in the span of a month.
Although dated on the cusp of September, Security Update 2004-09-30 was actually released Monday in the first full week of October. The update spans Mac OS X 2.8 and greater; Mac OS X 10.3.5, released in August, is the latest version.
The patches were offered through Apples automatic Software Update service as well as from its download page.
The company identified some eight vulnerabilities in its latest patch release. Here is a rundown of the security fixes:
- Image File Vulnerability. The wave of vulnerabilities relating to image files and libraries on all computing platforms continued as Apple stopped QuickTimes handling of a hacked BMP file that could allow “attackers to execute arbitrary code,” the company said. Similar issues with PNG (portable network graphics) files were addressed in an August update.
- AFP (Apple Filing Protocol) server vulnerabilities. Apple identified two problems related to its AFP server. One issue could allow a guest user to disconnect the server, while another could let guest users read data in a write-only directory. The company said the problem affects only machines running Version 10.3, aka Panther.
- Printing systems. Apple fixed several issues relating to its implementation of the CUPS (Common Unix Printing System) hardcopy architecture. One issue left the server open to a DOS (denial of service) attack, and another allowed certain remote printing authentication methods to gain access to the passwords in the local log files.
- Application vulnerabilities. Security problems with NetInfo Manager and ServerAdmin application, along with the Postfix mail server implementation, were treated.
The NetInfo Manager issue, found only in OS X 10.3 systems, was subtle but could prove problematic to some IT managers. The utility software can enable root access to the machine, but after logging in as root, the software couldnt disable the access, even though the account appeared to be disabled.
Mac IT managers reported no early trouble installing the update.
“Most of these [vulnerabilities] are exploitable, but only in the most strange and bizarre sense,” said Ron Hipschman, senior media specialist at San Franciscos Exploratorium science museum. While he said he is glad for the fixes, he didnt expect them to be readily exploited by attackers. “Youd have to be a real script kiddie to do so.”