Mac OS X Leopard mega-patch plugs 41 security holes

Mac OS X Leopard mega-patch plugs 43 security holesIt’s Patch Day in the land of Mac OS X Leopard.

Apple today shipped Security Update 2008-003
(Mac OS X 10.5.3) with fixes for a wide range of serious
vulnerabilities that could put users at risk of information disclosure,
denial-of-service and remote code execution attacks.

The update (see Techmeme discussion)
includes a fix for the iCal vulnerabilities that were publicly
disclosed by Core Security last week. The iCal bugs could be exploited
to crash iCal or execute arbitrary code via malicious calendar updates
or by importing a specially crafted calendar file.

[ SEE: iCal vulnerabilities put Mac OS X users at risk ]

Core Security’s warning mentions three separate vulnerabilities but Apple’s update only includes a fix for a single bug:

A use-after-free issue exists in the iCal application’s
handling of iCalendar (usually “.ics”) files. Opening a maliciously
crafted iCalendar file in iCal may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by improving reference counting in the affected code. This issue
does not affect systems prior to Mac OS X v10.5.

In all, Apple documents at least 41 vulnerabilities in this mega update. They include seven (7) different vulnerabilities in Apple’s Read the rest of this entry »

[Source: Zdnet]