On CBS MoneyWatch: 29 Fees We Hate to Pay
BNET Business Network:
BNET
TechRepublic
ZDNet

May 12th, 2009

Apple Patch Day: 67 Mac OS X, Safari vulnerabilities

Posted by Ryan Naraine @ 3:10 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Flash, Hackers, Open source, Passwords, Patch Watch, Responsible disclosure, Windows Vista

Tags: Apple Macintosh, Apple Safari, Vulnerability, Apple Inc., Arbitrary Code Execution, Apple Mac OS X, Apple Mac OS, Operating Systems, Security, Software

On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.

The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows).

The OS X update covers flaws in 31 different components, including several known (and dated) issues in open-source packages used by Apple. These include vulnerabilities in Apache, BIND, CUPS, OpenSSL, PHP and Kerberos.

The update also fixes what Apple describes as “arbitrary code execution” vulnerabilities in ATS, CFNetwork, CoreGraphics, Cscope, Disk Images and Spotlight.

The full list of affected software, components and discussion of risk is available on Apple’s support site.

Separately, Apple shipped new versions of its Safari 3 and Safari 4 (beta) browsers to cover the following issues:

  • libxml (CVE-2008-3529) A heap buffer overflow exists in libxml’s handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.  Affects both Mac OS X and Windows XP and Vista.
  • Safari (CVE-2009-0162) Multiple input validation issues exist in Safari’s handling of “feed:” URLs. Accessing a maliciously crafted “feed:” URL may lead to the execution of arbitrary JavaScript. This update addresses the issues by performing additional validation of “feed:” URLs. These issues do not affect systems prior to Mac OS X v10.5.  Also affects Windows XP and Vista.
  • WebKit (CVE-2009-0945) A memory corruption issue exists in WebKit’s handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking.  Apple credits security researcher “Nils” for reporting this issue, suggesting it is the flaw exploited during this year’s CanSecWest contest.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 121 Talkback(s)
RE:ISheep?
Personally, I grew up in 1998, realized Microsoft and Apple were both prohibitively expensive, both presented with recurring problems one should not have to deal with. Moved to Linux (which has its o... (Read the rest)
Posted by: richdave Posted on: 05/15/09 You are currently: a Guest | | Terms of Use
How about being a real journalist  frgough | 05/12/09
Your so funny  mdemuth | 05/12/09
A Plague on Both Houses  DannyO_0x98 | 05/12/09
Um hes funny but Accurate  JABBER_WOLF | 05/13/09
Lord  mojorison67@... | 05/13/09
Well Said!  iamagas | 05/13/09
LOL! I concur! (nt)  midenginedrift | 05/13/09
LOL! I concur!  richdave | 05/15/09
Whopper?  bbonis@... | 05/13/09
Nice insulting subject line there  Jack-Booted EULA | 05/13/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  thomcarl | 05/12/09
ZDNet  OracleOfReason | 05/13/09
Well....  Average-IT-Guy | 05/15/09
Don't worry, many patches == secure operating system  honeymonster | 05/12/09
Yes, they do.  ashdude | 05/12/09
@ashdude  Chrissd | 05/12/09
If Mac malware becomes a serious issue, they probably will..  ashdude | 05/13/09
Patching every week?  daMan25 | 05/13/09
I take that back......  daMan25 | 05/13/09
REALLY you that fooled?  JABBER_WOLF | 05/13/09
*laughs*  Spiritusindomit@... | 05/13/09
Why are you using a comparison operator when you should be assigning values  Spiritusindomit@... | 05/13/09
Most insecure OS for the 4th year?  lordtct | 05/13/09
No, most vulnerable OS for the 4th year  honeymonster | 05/14/09
Ya know if we're such a "miniscule" part of the market...  Wintel BSOD | 05/15/09
Oh yeah, the FUD report  Wintel BSOD | 05/15/09
So it doesn`t "just work"..something that needs 7 sets of...  Soulstorm | 05/12/09
Laugh it up  MacCanuck | 05/13/09
No problem here.....  daMan25 | 05/13/09
cool  nessrapp | 05/13/09
That's you  MacCanuck | 05/13/09
Never say "all"...  wolf_z | 05/13/09
You sir or madam are either a liar or terribly uninformed!  robertleeking@... | 05/13/09
Intel Processors Cause The Mac Problems?  PMC-CON | 05/13/09
Actually.....  daMan25 | 05/14/09
Re: Never say "all"...  bb_apptix | 05/14/09
Thats me.....  daMan25 | 05/13/09
Talk of BS and spin  MacCanuck | 05/13/09
Say what you will.....  daMan25 | 05/13/09
daMan25... "dogging others to make points"...  MacCanuck | 05/13/09
ratio?  lordtct | 05/13/09
Re: Talk of BS and spin  bb_apptix | 05/14/09
Windoze fanbuis, they tell a big lie, don't they...  Wintel BSOD | 05/15/09
re: windows rot  gtdavies33@... | 05/13/09
Re: Windows rot - google it  bb_apptix | 05/14/09
Really?  Wintel BSOD | 05/15/09
swine flu hysteria ... just like windows virus hysteria  thinklady | 05/13/09
Swine flu et al...  robertleeking@... | 05/13/09
Measly 8 years  mswift@... | 05/13/09
I've had the same experience...8 years virus free..  JT82 | 05/13/09
Re: Laugh it up  bb_apptix | 05/14/09
Well said and I'm in the same boat - nt  US Is ! Europe-ThankGod! | 05/14/09
Swiss cheese  honeymonster | 05/13/09
+1. Totally agree, But security by obscurity will still work  Soulstorm | 05/13/09
Think I would prefer to be...  john@... | 05/13/09
Is there a Mac user on the planet  compudog | 05/13/09
Message for lost Soul in a storm  johnpall@... | 05/13/09
Relax  pfranklin | 05/13/09
So true  comp_indiana | 05/13/09
English Comp Major?  PMC-CON | 05/13/09
ISheep?  SimonUK2 | 05/13/09
Who uses 32-bit any more? [NT]  JT82 | 05/13/09
"Windows kernel" not the issue... Place the blame correctly, at least  blu_vg@... | 05/14/09
RE:ISheep?  richdave | 05/15/09
Actually No it wont  JABBER_WOLF | 05/13/09
To the above "observers"...  MacCanuck | 05/13/09
MAC this  pfranklin | 05/13/09
WHY?  john@... | 05/13/09
MAC  pfranklin | 05/13/09
Note the overall trend...  smdunn | 05/13/09
A couple of points...  MacCanuck | 05/13/09
....  Badgered | 05/13/09
LOL  comp_indiana | 05/13/09
Live with it?  compudog | 05/13/09
Fair enough...  SimonUK2 | 05/13/09
Here you go....  daMan25 | 05/13/09
Vulnerabilities vs Exploits  pritchet1 | 05/14/09
It's honeymonster's job...  Wintel BSOD | 05/15/09
Nice Post, Well Reasoned  PMC-CON | 05/13/09
Microsoft does control the vulnerabillities inhouse so why?  robertleeking@... | 05/13/09
Unsustainable  honeymonster | 05/13/09
Let's be real....  daMan25 | 05/13/09
Patching disabled features  wjanoch | 05/13/09
You don't get it, either...  Wintel BSOD | 05/15/09
Hmmm...  Dancougar | 05/13/09
It's interesting that you use...  msalzberg | 05/13/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  someitguy79 | 05/13/09
Ok, please explain.....  daMan25 | 05/13/09
How vulnerable the "vulnerabilities?"  Ron Robertson | 05/13/09
word  Leon Buijs | 05/13/09
Three words  honeymonster | 05/13/09
root permissions...  SimonUK2 | 05/13/09
Good point  honeymonster | 05/13/09
Once again.....  daMan25 | 05/13/09
maybe ...  john_gillespie@... | 05/13/09
if you  sackbut | 05/13/09
But it makes the ZD net readers happy!  comp_indiana | 05/13/09
Apple just as bad if not worse then Windows  jscott418 | 05/13/09
Paranoia becomes fantasy  comp_indiana | 05/13/09
is there an IQ test  honeymonster | 05/13/09
Really?  pritchet1 | 05/14/09
Yes, really  honeymonster | 05/14/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  ereal_2000@... | 05/13/09
Yaa...  Dancougar | 05/13/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  compnstuff | 05/13/09
What mouse driver issues...  msalzberg | 05/13/09
Reaction times...  compnstuff | 05/14/09
"WebKit (CVE-2009-0945)" suggests no such thing.  Spiritusindomit@... | 05/13/09
To human is to err.  phatkat | 05/13/09
It's all lies, lies I tell you!  konkreet | 05/13/09
Re: It's all lies, lies I tell you!  lordtct | 05/13/09
Just wondering...  Eleutherios | 05/13/09
Get real  lordtct | 05/13/09
ROFL  Badgered | 05/14/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  terramir@... | 05/13/09
You could also have added...  zkiwi | 05/13/09
Wait, I am watching the new Apple ads...  Roque Mocan | 05/13/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  gennx30 | 05/13/09
Call in Kindergarten Cop  washjc | 05/14/09
Ah, the treasure trove of intelligence that is ZDnet...  goff256 | 05/14/09
RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities  MKleinpaste | 05/15/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here