Vulnerability Management

Scores of flaws fixed in mammoth Apple security update

Apple on Monday issued updates to Mac OS X Snow Leopard and Leopard to correct scores of security vulnerabilities that could allow an attacker to access user data, execute arbitrary code, obtain system privileges, or cause a denial-of-service condition, Apple said in its advisory.

The updates affect client and server versions of Mac OS X 10.6 (Snow Leopard) and 10.5 (Leopard). The updates fix more than 90 flaws affecting many different operating system components, including AppKit, QuickTime, Disk Images, CoreAudio, Mail, SMB, FTP and several others, according to Mac security firm Intego.

The update includes nine fixes for bugs in QuickTime affecting client and server versions of Snow Leopard, according to the advisory. Specifically, several heap buffer overflow and memory corruption issues could be exploited by an attacker with a maliciously crafted movie file to terminate an application or execute arbitrary code.

In addition, there were four bugs fixed in iChat server. The vulnerability could have allowed an attacker to cause a denial-of-service attack, execute arbitrary code or cause chat messages to stop being logged. Another four bugs were fixed in ImagelO, which could have permitted an attacker with a maliciously crafted image or website to execute arbitrary code or cause data to be sent from web browser Safari's memory.

Apple recommends that all users running client and server versions of Mac OS X Snow Leopard update to 10.6.3. In addition to the security fixes, the update also includes general operating system fixes to enhance stability and compatibility.

Users of client and server versions of Mac OS X Leopard are advised to download Security Update 2010-002. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.