Apple Zaps 16 Mac OS X Holes

A third of the fixes deal with potentially serious flaws in the Apache Web server.

Apple Computer Inc. late Thursday rolled out a monster update to correct 16 potentially serious vulnerabilities in the Mac OS X operating system.

According to an advisory from Apple, the update corrects flaws that could lead to security bypass, spoofing, exposure of sensitive data, privilege escalation, DoS (denial of service) attacks and unauthorized system access.

Research firm Secunia has tagged the update as "highly critical."

According to the advisory, one-third of the fixes deal directly with the open-source Apache Web server, with the most serious putting users at risk of replay attacks.

That fix, in the Mac OS X Server-specific "mod_digest_apple," was necessary because of multiple corrections to the replay problems already fixed in Apache server versions 1.3.31 and 1.3.32.

The computer maker also plugged multiple holes in Apache and mod_ssl that could be exploited to inject malicious characters into error log files, bypass certain security restrictions, gain escalated privileges, gain unauthorized access to other Web sites, cause a DoS condition, and potentially compromise a vulnerable system.

The update also corrects another security issue in Apache that results in access to ".DS_Store" files and files starting with ".ht" not being fully blocked. Apple said the problem exists because its HFS+ file system handles file access in a case-insensitive way, while the Apache configuration blocks access in a case-sensitive way.

Apples update also corrects integer overflows and poor range-checking in TIFF handling in Appkit. "Flaws in decoding TIFF images could overwrite memory, cause arithmetic errors resulting in a crash, or permit the execution of arbitrary code. This update corrects the problems in the handling of TIFF images," the advisory said.

/zimages/2/28571.gifClick here for a look at Apples performance in 2004.

The update also plugs a buffer overflow in PostScript-to-PDF conversion that could allow execution of arbitrary code and a separate flaw in the QuickTime Streaming Server that could lead to DoS attacks.

Apples Safari Web browser was also patched to secure users against URL-spoofing attacks and misleading information about which Web site launched a pop-up window.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis about Apple in the enterprise. And for insights on Macintosh coverage around the Web, check out Executive Editor Matthew Rothenbergs Weblog.