This Week's Sponsor:

Kolide

Ensures that if a device isn’t secure it can’t access your apps.  It’s Device Trust for Okta.

Apple Releases 2010-005 Security Update For Mac OS X 10.5 and 10.6

A few minues ago Apple issued a new security update for Mac OS X 10.6 and 10.5, aimed at fixing PDF vulnerabilities (the same of iOS?), network interceptions and PHP vulnerabilities.

Check out the full changelog after the break. Security update is available now in Software Update.

ATS

CVE-ID: CVE-2010-1808

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution

Description: A stack buffer overlow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.


CFNetwork

CVE-ID: CVE-2010-1800

Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections. This issue does not affect systems prior to Mac OS X v10.6.3. Credit to Tomas Bjurman of Sirius IT, Jean-Luc Giraud of Citrix, and Aaron Sigel of vtty.com for reporting this issue.


ClamAV

CVE-ID: CVE-2010-0098, CVE-2010-1311

Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6.4

Impact: Multiple vulnerabilities in ClamAV

Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.96.1. ClamAV is distributed only with Mac OS X Server systems. Further information is available via the ClamAV website at http://www.clamav.net/


CoreGraphics

CVE-ID: CVE-2010-1801

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,

Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in CoreGraphics’ handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Rodrigo Rubira Branco from the Check Point Vulnerability Discovery

Team (VDT) for reporting this issue.


libsecurity

CVE-ID: CVE-2010-1802

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,

Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: An attacker in a privileged network position who can obtain a domain name that differs only in the last characters from the name of a legitimate domain may impersonate hosts in that domain

Description: An issue exists in the handling of certificate host names. For host names containing three or more components, the last characters are not properly compared. In the case of a name containing exactly three components, only the last character is not checked. For example, if an attacker in a privileged network position could obtain a certificate for www.example.con the attacker can impersonate www.example.com. This issue is addressed through improved handling of certificate host names. Credit to Peter Speck for reporting this issue.


PHP

CVE-ID: CVE-2010-1205

Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitary code execution

Description: A buffer overflow exists in PHP’s libpng library.

Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitary code execution. This issue is addressed by updating libpng within PHP to version 1.4.3. This issue does not affect systems prior to Mac OS X v10.6.


PHP

CVE-ID: CVE-2010-1129, CVE-2010-0397, CVE-2010-2225, CVE-2010-2531,

CVE-2010-2484

Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: Multiple vulnerabilities in PHP 5.3.1

Description: PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most serious of which may lead to arbitary code execution. Further information is available via the PHP website at

http://www.php.net/


Samba

CVE-ID: CVE-2010-2063

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,

Mac OS X v10.6.4, Mac OS X Server v10.6.4

Impact: An unauthenticated remote attacker may cause a denial of service or arbitrary code execution

Description: A buffer overflow exists in Samba. An unauthenticated remote attacker may cause a denial of service or arbitrary code execution by sending a maliciously crafted packet. This issue is addressed by performing additional validation of packets in Samba.

Join

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.

Federico is the founder and Editor-in-Chief of MacStories, where he writes about Apple with a focus on apps, developers, iPad, and iOS productivity. He founded MacStories in April 2009 and has been writing about Apple since. Federico is also the co-host of AppStories, a weekly podcast exploring the world of apps, and Unwind, a fun exploration of media and more.

He can also be found on his other podcasts on Relay FM: Connected and Remaster, two shows about Apple and videogames, respectively.

@viticci
@viticci
@viticci@macstories.net
viticci@macstories.net