Patch/Configuration Management, Vulnerability Management

Mac OS X, including Snow Leopard, updated for security

Apple on Friday issued two updates -- one for users of Snow Leopard, and another for other Mac OS X users -- to address multiple security vulnerabilities, some of which could lead to arbitrary code execution.

The computing giant issued an update to its recently released Snow Leopard platform to address a vulnerable version of Adobe Flash Player that was shipped with the two-week old software, according to Apple release notes.

The updated version, Mac OS X 10.6.1, addresses nine previously fixed Flash vulnerabilities, the worst of which could have enabled arbitrary code execution if a user visited a maliciously crafted website.

“Its interesting for consumers to have these third-party products [such as Adobe Flash Player] bundled with their operating systems, but now Apple is responsible for them,” Andrew Storms, director of security operations for network security and compliance auditing firm nCircle, told on Friday.

The Flash issue also was addressed in other OS X versions through a separate security update that fixes 33 total vulnerabilities. Security update 2009-005 was issued Thursday for users of the Leopard (Mac OS X 10.5.8) and Tiger (Mac OS X 10.4.11) operating systems, along with Mac OS X Server versions 10.5, 10.4.x (Universal), and 10.4.x (PowerPC), according to Apple release notes.

A number of the vulnerabilities affect other third-party applications in OS X, including PHP, SMB and MySQL, Storms said. A vulnerable version of PHP, which is an HTML scripting language used by developers, was upgraded in Leopard.

Vulnerabilities also were fixed in the components CoreGraphics, and ColorSync affecting Tiger and Leopard, which could enable arbitrary code execution if a user is tricked into viewing a maliciously crafted image, PDF file or web page.

Other security bugs were fixed in the components Alias Manager, CarbonCore, ClamAV, CUPS, InagelO, Launch Services and Wiki Server. These vulnerabilities could enable an attacker to execute arbitrary code, terminate applications, obtain system privileges or access user accounts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.