February 13, 2009

Apple released several security updates Thursday to OS X, Java and Safari, fixing over 50 distinct vulnerabilities, as measured by CVE number

The OS X update, Security Update 2009-001, fixes Mac OS X v10.4.11 and Mac OS X v10.5.6. It's the usual OS X update stuff: many are fixes in 3rd-party products bundled with OS X, including, in this case, ClamAV, Fetchmail (written by the famous Eric S. Raymond), Perl and Python. Those 4 alone are responsible for 15 of the vulnerabilities fixed in this update. Another 14 are just in X11. Some of the vulnerabilities in these outside packages date to 2007.

The other fixes are also typical. A Coretext fix stops a bug through which "viewing maliciously crafted Unicode content may lead to an unexpected application termination or arbitrary code execution." Another scary one in the SMB file support could allow arbitrary code execution with system privileges by connecting to a maliciously-crafted SMB file system.

MThere is also a Safari update that fixes a bug which allows "execution of arbitrary JavaScript in the local security zone." A separate update for Safari for Windows fixes this same bug on that platform.

Some of the bugs fixed in this update are not identified with CVE numbers; they are security-related bugs, but not described as vulnerabilities. For instance, in one, cookies may not be saved to disk in cases where they should.

Two other updates fix 4 bugs in Java in OS X 10.4 and 10.5. The problems fixed are in Java Web Start and the Java Plug-in and could result in arbitrary code execution with the privileges of the current user. This update fixes 4 of the 7 bugs fixed in an update from Sun in December. No word on why they other 3 aren't fixed.