Apple Patches (in a big way) Tiger and Leopard
Apple's Security Update 2007-009 includes an array of patches that have problems that, for too many, include descriptions with the phrase
may lead to an unexpected application termination or arbitrary code execution
This is a patch to get ASAP. It updates bread and butter apps like Mail, Address Book, iChat and Safari, programming tools like perl, python and ruby, and OS level stuff like SAMBA, SMB, and unfortunately, Software Update, which is subject to a man-in-the-middle attack.
Here's the description for the Apple advisory:
Software UpdateCVE-ID: CVE-2007-5863
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: A man-in-the-middle attack could cause Software Update to execute arbitrary commands
Description: When Software Update checks for new updates, it processes a distribution definition file which was sent by the update server. By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the "allow-external-scripts" option, which may cause arbitrary command execution when a system checks for new updates. This update addresses the issue by disallowing the "allow-external-scripts" option in Software Update. This issue does not affect systems prior to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.
The update is available from Apple Downloads or by running Software Update
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
