Apple Update OS X, Safari for Security Zero-Day Safari Security Flaw Finally Patched Sean Michael Kerner
Apple is tackling a long list of security vulnerabilities with an update for its Mac operating system to version 10.5.7, along with updates for its Safari Web browser that close a vulnerability exposed earlier this year.
The company issued updates for the Safari 3 browser as well as the Safari 4 beta, which Apple has had in public beta testing since February
One of the issues fixed in both versions of the browser is a zero-day (define) flaw originally discovered at the PWN2OWN contest in March of this year.
Mozilla Firefox was hit with the same flaw, but Mozilla fixed the issue in March with the Firefox 3.0.8 update.
According to Apple's advisory on the issue, "a memory corruption issue exists in WebKit's handling of SVGList objects." WebKit is Safari's core rendering engine for web browsing. As a result of the flaw a user could potentially risk arbitrary code execution simply by visiting a malicious site.
Apple said it has addressed the issue with improved bounds checking in the browser to ensure that unsafe operations do not occur.
Safari also gets a fix for a flaw that could have enabled an attacker to get control of a user's system by way of a feed-handling flaw. Apple noted in its advisory that there were multiple input validation issues in Safari's handling of "feed:" URLs.
The fixes for Mac 10.5.7, as is often the case with OS X updates, includes numerous open source package updates. Among them is an update to the Apache Web server, BIND DNS server, the CUPS printing server, OpenSSL, PHP and Ruby.
There is also an update for the Adobe Flash Player plugin to fix multiple issues that Adobe has already addressed. A flaw related to how Macs view Adobe PDF files is also fixed by way of an update to Apple's CoreGraphics engine.
Mac users who were looking for help files from Apple could also potentially have been a risk. Apple's advisory noted that accessing a maliciously crafted "help:" URL may lead to arbitrary code execution.
The 10.5.7 update patches the HelpViewer to validate file paths to ensure that the style sheets for the help files are legitimate.
Instant messaging also gets a security boost in Mac 10.5.7. Prior to the update, the default behavior for Apple's iChat was to disable SSL (define) connections for AOL Instant Messenger connections when it is unable to connect via SSL on the first attempt.
A user would have had to manually re-enable SSL to get the security back for subsequent messages. Without SSL, messages are sent in the clear across a network and can be intercepted by an attacker.
"This update addresses the issue by changing the behavior of iChat to always attempt to use SSL, and to use less-secure channels only if the 'Require SSL' preference is not enabled," Apple's advisory states.
The 10.5.7 update is the first Apple OS X update since the 10.5.6 release in December.
