Apple’s 2008-007 Security Update released for download

Apple released its 7th security update for this year, security update that fixes several bugs in the system, some minor security updates but also several critical updates such as a bug that allowed arbitrary code execution within the OS. The update addresses several other issues such as Weblog Server’s vulnerability, a heap buffer overflow in the MySQL Server and an Apache server update.

Here are several highlights of this Apple Security Update:

Apache
Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.

Certificates
Root certificates have been updated. Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

ClamAV
Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems.

Finder
An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder’s user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5.

MySQL Server
A heap buffer overflow exists in the local IPC component of configd’s EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking.

PHP
PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

Weblog
An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X.

The Apple 2008-007 Security Update can be installed automatically via Updater or you can download it and install the packages manually.

The update addresses both Tiger and Leopard operating systems, Mac OS X 10.4.11 and Mac OS X 10.5 respectively.

Download Apple Security Update 2008-007

  Filled under: Security

 Tags : apple, download, fix, mac, Mac OS, mac os x, Security, security updates, update