Select Page

Apple just released a big old pile of patches for the security-burdened Leopard and Tiger operating systems. Among the addressed problems:

 

  • Address Book
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • CFNetwork
    Impact: Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission
  • Core Foundation
    Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead to the disclosure of sensitive information
  • Desktop Services
    Impact: Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution
  • Flash Player Plug-in
    Description: Adobe Flash Player is updated to version 9.0.115.0 to address CVE-2007-5476.
    Further information is available via the Adobe site at http://www.adobe.com/support/security/advisories/apsa07-05.html
    Credit to Opera

  • GNU Tar
    Impact: Extracting a maliciously crafted tar archive could overwrite arbitrary files
  • iChat
    Impact: A person on the local network may initiate a video connection without the user’s approval
  • IO Storage Family
    Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution
  • Launch Services
    Impact: Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting
    Impact: Opening an executable mail attachment may lead to arbitrary code execution with no warning
  • Mail
    Impact: SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available
  • Quick Look
    Impact: Previewing a file with QuickLook enabled may lead to the disclosure of sensitive information
    Impact: Previewing a movie file may access URLs contained in the movie
  • Safari
    Impact: Visiting a malicious website may result in the disclosure of sensitive information
  • Safari RSS
    Impact: Accessing a maliciously crafted feed: URL may lead to an application termination or arbitrary code execution
  • Samba
    Impact: Multiple vulnerabilities in Samba
  • Shockwave Plug-in
    Impact: Opening maliciously crafted Shockwave content may lead to arbitrary code execution
  • SMB
    Impact: A local user may be able to execute arbitrary code with system privileges
  • Software Update
    Impact: A man-in-the-middle attack could cause Software Update to execute arbitrary commands
  • Spin Tracer
    Impact: A local user may be able to execute arbitrary code with system privileges
  • Spotlight
    Impact: Downloading a maliciously crafted .xls file may lead to an unexpected application termination or arbitrary code execution

Get a look at Apple’s full descriptions of issues and fixes at their site: Security Update 2007-009