Bug fixes for Mac 0SX 10.5 codenamed "Leopard"

The latest security updates fix a 11 of bugs in the Mac Operating system, including eight bugs in the recently released Mac OS X 10.5, known as "Leopard." Apple released the security fixes in conjunction with an 10.5.2 update to Leopard, which includes dozens of other updates.

Some of the security flaws are extremely serious, and could be exploited by hackers to run unauthorized software on a victim's computer, although Apple did not report any incidents of this occurring.

The patches include fixes for Safari, Mail, Launch Services, the Mac OS Directory Services, Open Directory and Parental Controls. There are also patches for several Unix components that ship with Apple's software, including a recently patched flaw in the Samba file-and-print software.

"The Samba bug was expected, since all the open-source distributions released fixes a while ago," said Andrew Storms, nCircle's director of security operations, via instant message.

It's been a busy time for software developers working on some widely used software products.

Apple's patches come a day before Microsoft is set to issue a massive set of updates itself. Last week, the software vendor said it expected to release 12 security updates for a variety of products including critical updates for Windows, Internet Explorer and Office.

Last week other critical patches were also released for Adobe Reader and Apple's QuickTime media player.

Apple patch tackles two dozen Mac OS vulnerabilities

Apple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks.

For Mac OS X 10.4.9

A version of the software update for systems running Mac OS X 10.4.9 -- labeled Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.

The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS.

For Mac OS X 10.3.9

Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.

Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart.

The culprits

For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.

The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."