Wednesday, 17 August 2005

Apple Patches for Tiger and Panther

Apple Patches for Tiger and Panther Apple has patched a number of security holes in its Panther and Tiger flavors of Mac OS X in its latest security update. More than 40 separate vulnerabilities are addressed in the four patches, covering the server and client versions of both Panther (Mac OS X 10.3.9) and Tiger (Mac OS X 10.4.2). The server patches address problems in 20 components, while the client patches fix 15 flaws. Following are some of the notable fixes:

1. AppKit: repaired to which prevent malicious users exploiting buffer overflows with carefully crafted .rtf and .doc files, executing malware stored within those files or allowing the coder to add extra user accounts to the system.

2. Safari Web browser: updated to fix a flaw that could allow arbitrary command execution by clicking on a link in a maliciously crafted rich text file, and a bug that could mean Safari sent data to the wrong Web sites.

3. Bluetooth code: modified to ensure that devices' requirement for an authenticated connection is reported correctly. The security update also fixes "algorithmic complexity attack" vulnerabilities in the OS' CoreFoundation code.

4. Kerberos: updated to version 5.5.1, which prevents multiple buffer overflows resulting in remote compromise of a KDC or denial of service.

5. Directory Services code: patched to prevent buffer overflows and to block security flaws within the privileged tool dsidentity.

6. MySQL: fixed multiple vulnerabilities with MySQL in Mac OS X 10.3.9 that would allow arbitrary code execution by remote authenticated users. This issue does not affect users of Mac OS X 10.4.

The update weighs in at around 17MB and is available via Apple Downloads and through Software Update.