Apple Computer Inc. late Monday shipped a security update to patch five Mac OS X security flaws and warned that the most dangerous bug could be exploited to bypass security restrictions.
In an advisory, Apple urged users to upgrade to Mac OS X 10.4.3 (client and server) to protect against security bypass and system exposure attacks.
The most serious of the five flaws is an error in “memberd,” the daemon process used by the system to resolve group memberships.
In certain situations, Apple explained, changes to a groups membership may be delayed for hours in access control checks, resulting in an authenticated user being able to access files or other resources even after they have been removed from a group.
“This update addresses the issue by invalidating the group membership cache at appropriate times,” Apple said, noting this bug does not affect systems prior to Mac OS X v10.4.
The update also fixes an error in the Keychain access utility. The bug, which affects users of Mac OS X v10.4.2 and Mac OS X Server v10.4.2, causes a keychain to display passwords that are supposed to be stored and locked.
Several errors in the kernel that could allow the disclosure of memory to local users were also fixed. Apple said certain kernel interfaces may return data that includes sensitive information in uninitialized memory.
Two other flaws, in Finder and in Software Update, were also addressed.
Patch download locations have been included in the Apple advisory.