Over 67 vulnerabilities spanning Mac OSX 10.4.x-10.5.x including in Apache, BIND, CoreGraphics, CUPS, enscript, Help Viewer, International Components for Unicode, Kerberos, Launch Services, Net SNMP, ATS, CFNetwork, CScope, Disk Images, Flash Plug-In iChat, IPSec, Kernel libxml ad Network Time.
Within CoreGraphics it relates mostly to PDF's, the exploit requires a users to loaded a specially crafted file from download or a web site. Used in conjunction it is possible for and elevation of privileges so having a limit account is not a full proof solution. ATS service can experience a buffer overflow due to the way that t handles Compact Fonts, this again used with other vulnerabilities can allow an attacker to elevate privileges. Use of a limited account is not one hundred percent effective.
Sites that are hosted from Mac OSX servers using Apache can publish specially crafted files that can substitute their own response for any web page being hosted on that system. CFnetwork flaw is related Set-Cookie parsing which can result in certain cookies being sent with clear text information. For developers that use XCode and need to print line number, many resort to using enscript. This update address several issues including the possibility to execute arbitrary code.
The update also address various issues related to Safari including the heap buffer issues related to libxml.There are also updates for Safari Public Beta which should not for any reason be used on a production system or a system with access to internal network resources.
This update also address important issues relates to Mac OSX Server. Administrators should patch their servers only after testing on non-production systems. Many of these updates are listed as critical, I currently have been using Parallels server for Mac OSX server and have not experienced any issues with our in-house test systems. These systems make up the bulk o my security lab.
Monday, June 8, 2009 at 08:23PM 