Apple Computer Inc. on Friday posted a security update to correct 10 security flaws in its Mac OS X operating system, warning that the most dangerous vulnerability could put users at risk of code-execution attacks.
It is the second time in two weeks that the computer maker has shipped a security patch to swat potentially dangerous bugs. Nine days ago, Apple shipped a Java security update to plug five flaws that could cause system hijack, security bypass, data manipulation and privilege escalation attacks.
This time around, the risks are just as serious. Security alerts aggregator Secunia Inc. rates the latest patch as “highly critical” and warned that malicious hackers could bypass security settings to launch cross-site scripting, system disclosure, privilege escalation and system access attacks.
According to an alert from Apple, the most serious bug could allow an attacker to trigger a buffer overflow in ImageIO using a specially crafted GIF (Graphics Interchange Format) files.
This could result in the execution of arbitrary code, Apple acknowledged, noting that several components of the Mac OS X user ImageIO, including WebCore and Safari. “This update addresses the issue by performing additional validation of images,” the company said.
A second flaw affecting the Safari browser is also fixed to address an issue where maliciously crafted Web archives could allow cross-site scripting. “It is possible to view web archives served from remote sites in Safari,” Apple explained. “Maliciously crafted web archives may be rendered as content from sites that did not serve them. This update prevents remote Web archives from being loaded.”
In QuickDraw Manager, Apple also confirmed a code execution hole when specially created PICT images are viewed. Several components of Mac OS X utilize QuickDraw Manager, including Safari, Mail, and Finder. With the update, Apple has set the feature to perform additional validation of images.
The company also issued a QuickTime for Java update to address an issue that may cause an untrusted applet to gain elevated privileges. “The Java extensions bundled with QuickTime 6.52 and earlier allow untrusted applets to call arbitrary functions from system libraries. This update addresses the issue by limiting these calls to trusted applets,” Apple said.
Systems running QuickTime 7 or later are not affected by this issue.
The security overhaul also includes a pair of patches of Mail. When using auto-reply rules, the advisory said Mail.app may expose the contents of encrypted messages. A separate issue was also flagged when using Kerberos Version 5 for SMTP authentication. That may cause Mail.app to disclose sensitive information.
It also includes a fix for an error in the SecurityAgent that could cause the “Switch User…” button to be displayed even when the “Enable fast user switching” setting has been disabled. This may allow malicious, local users to access the current users desktop without authentication even when the “Require password to wake this computer from sleep or screen saver” setting is enabled.
A validation error in the Authorization Services “securityd” has also been patched to block a scenario where unprivileged users to gain certain privileges that should be restricted to administrative users.
Flaws in “malloc” and “Ruby” are also fixed.
Mac users can download and install the security update via the operating systems “Software Update” preferences. On the “Apple Downloads” section, the company has posted patches for Mac OS X 10.3.9 and Mac OS X 10.4.2 customers.
