Exposure:Today, Apple released a
security update to fix vulnerabilities in all current versions of OS X. The update fixes well over 90 (number based on
CVE-IDs) security issues in around 43 components that ship as part of OS X, including Quicktime, CoreMedia, and Mail. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:
* Various QuickTime Code Execution Vulnerabilities. Quicktime is the multimedia (video and audio) player that ships with OS X. According to Apple, QuickTime suffers from nine code execution vulnerabilities involving its inability to properly handle maliciously crafted movie files. Though the flaws differ technically, they share the exact same scope and impact.
If an attacker can lure one of your users into playing a malicious movie (perhaps hosted on a malicious website), he could exploit this flaw to either crash QuickTime or to execute attack code on that user's computer. By default, the attacker would only execute code with that user's privileges. However, the attacker could also leverage other
privilege elevation flaws described in Apple's alert to gain complete control of your user's Mac.
* Multiple Image-related Memory Corruption Vulnerabilities.
ImageIO and Image RAW are both OS X components that help the operating system handle various types of image files. Both components suffer from memory-related vulnerabilities involving the way they handle certain types of image files. Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash the viewing application or to execute attack code on the victim's computer. By default, the attacker would only execute code with that user's privileges. However, the attacker could also leverage other flaws in Apple's alert to gain complete control of your user's Mac.
* Disk Images Code Execution Vulnerabilities. Disk Images is the OS X component that mounts the
DMG disk image files commonly used to install software on Mac computers. Apple's OS X update fixes two code execution vulnerabilities in Disk Images. Though they differ technically, an attacker could leverage both in the same way. By enticing you to mount a malicious DMG file, an attacker could exploit either of these flaws to execute code on your computer, with your privileges. Like the previous flaws, the attacker could then leverage other vulnerabilities to gain complete control of your Mac.
Apple's alert also describes many other vulnerabilities, including some
Denial of Service (DoS)flaws, information disclosure issues, and
Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:
- AppKit
- Application Firewall
- AFP Server
- Apache
- ClamAV
- CoreAudio
- CoreMedia
- CoreTypes
- CUPS
- curl
- Cyrus IMAP
- Cyrus SASL
- Desktop Services
- Disk Images
- Directory Services
- Dovecot
- Event Monitor
- FreeRADIUS
- FTP Server
- iChat Server
- ImageIO
- Image RAW
- Libsystem
- Mail
- Mailman
- MySQL
- OS Services
- Password Server
- perl
- PHP
- Podcast Producer
- Preferences
- PS Normalizer
- Quicktime
- Ruby
- Server Admin
- SMB
- Tomcat
- unzip
- vim
- Wiki Server
- X11
- xar
Please refer to
Apple's OS X 10.5.x and 10.6.x alert for more details
As an aside, if you haven't installed the
Safari update Apple released earlier this month, we recommend you install it as well.