Apple Plugs Mac OS X Worm Hole

With the security of its flagship Mac OS X operating system facing intense scrutiny, Apple Computer on March 1 released a software update with patches for more than a dozen security vulnerabilities.

The first security update from Apple for 2006 comes less than a week after the release of exploit code for Safari browser flaw and the discovery of two worms affecting Mac OS X users.

In all, five Safari issues were addressed, including an “extremely critical” flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.

“By preparing a Web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user,” Apple acknowledged in an advisory. The update addresses the issue by performing additional bounds checking.

A separate buffer overflow in the way the WebKit application framework handles certain HTML could allow a maliciously crafted Web page to cause a crash or execute arbitrary code as the user viewing the site.

Read more here about an exploit for a Safari hole.

The company also patched a third code execution hole in Safari that could let an attacker use JavaScript to trigger a stack buffer overflow.

Apple also acknowledged that Safari’s security model prevents remote resources from causing redirection to local resources. “An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions,” the company said in the alert.

The update also addresses a flaw in Syndication (Safari RSS) that Apple said may allow JavaScript code embedded in RSS feeds to run within the context of the RSS reader document. This could allow malicious feeds to circumvent Safari’s security model.

The iChat application was also patched to block the spread of the Leap.A IM worm that was discovered on the Mac OS X platform last week.

“With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers,” Apple said.

The update also fixes flaws in Mail, apache_mod_php, automount, Bom, Directory Services, IPSec, LaunchServices, LibSystem, loginwindow and rsync.

The update is shipped automatically to all Mac users through Apple’s Software Update service.

Separate downloads are available on Apple’s Download site for Mac OS X v10.3.9 (client and server) versions and Mac OS X v10.4.5 (Tiger) Intel and PowerPC versions.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.