The Mac OS X security train pulled into the patching station Feb. 11 with fixes for a total of 10 vulnerabilities, including one that was first disclosed more than a year ago during the Month of Apple Bugs project.
The megapatch-available for both Tiger and Leopard users-covers holes that put Mac users at risk of code execution, denial-of-service and information disclosure attacks. Eight of the 10 vulnerabilities affect Mac OS X 10.5.2.
According to a security bulletin accompanying the patches, one of patches covers a security hole disclosed more than 11 months ago during the controversial MOAB project, in which hackers released daily alerts for flaws in the Mac ecosystem.
The bug, described as a stack buffer overflow, exists in the SLP (Service Location Protocol) daemon, and can execute arbitrary code with system privileges.
The patch batch also covers a serious flaw in the way the Safari browser handles certain URLs. “Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution,” Apple warned, chalking it up to a memory corruption issue. The vulnerability does not affect systems prior to Mac OS X v10.5.
The Launch Services API, which is used to open applications or their document files or URLs in a way similar to the Finder or the Dock, is also being patched, in order to correct a bug that causes an application to be launched via Time Machine backup even after it’s removed from the system.
The Mac OS X Mail client is also being patched to fix an implementation issue in Mail’s handling of “file://” URLs. “[This could] allow arbitrary applications to be launched without warning when a user clicks a URL in a message,” Apple warned. The Security Update also covers a gaping hole in Samba that could lead to an unexpected application termination or arbitrary code execution. The issue is a stack buffer overflow in Samba when processing certain NetBIOS Name Service requests.
“If a system is explicitly configured to allow ‘domain log-ons,’ an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected,” Apple said.
A separate patch also covers a Terminal hole that could allow code execution attacks from simply viewing a booby-trapped Web page. Apple described the issue as an input validation error in the processing of URL schemes handled by Terminal.app.
Apple also patched a remote code execution issue in the way NFS (Network File System) handled mbuf chains; a pair of X11 vulnerabilities that introduce arbitrary code execution risks; and an information disclosure bug in Parental Controls.