Monday, February 11

Mac OSX 10.5.2 and Security Update 2008-0001 hit the streets

Listed below are all the updates for Leopard 10.5.2 and Security Update 2008-0001.  All in all, this is a much needed and timely update.  All in all, it looks to be huge.  (Downloading right now on my MacBook Pro, the size shows 180 Mb.

Active Directory

  • Addresses issues which could hinder or prevent binding Mac OS X 10.5.x clients to Active Directory domains.

AirPort

  • Improves connection reliability and stability
  • Includes 802.1X improvements.
  • Resolves certain kernel panics.

Back to my Mac

  • Adds support for more third-party routers, as detailed in this article.

Dashboard

  • Improves performance of certain Apple Dashboard widgets (such as Dictionary).
  • Addresses an issue in which Dashboard widgets may no longer be accessible after switching to or from an account that has Parental Controls enabled.

Dock

  • Updates Stacks with a List view option, a Folder view option, and an updated background for Grid view.

Desktop

  • Addresses legibility issues with the menu bar with an option to turn off transparency in Desktop & Screen Saver preferences.
  • Adjusts menus to be slightly-less translucent overall.

iCal

  • Improves iCal so that it accurately reflects responses to recurring meetings.
  • Addresses an issue in which a meeting may remain on the calendar after being cancelled.
  • Addresses stability issues related to .Mac syncing of iCal calendars.
  • Resolves an intermittent issue in which editing an event with attendees would cause the event to shrink and not register that the event was updated.

iChat

  • Addresses an issue with simultaneously-logged in accounts in which iChat sounds generated from one account might be heard in another account.
  • Fixes an issue in which iChat idle time is affected by Time Machine backups.
  • Improves connectivity when running iChat behind a router that doesn’t preserve ports.
  • Enables logged chats from previous versions of iChat to open faster and more reliably.
  • Addresses an issue with text chats in which users may be unable to receive messages from the sender.
  • Addresses an issue that may prevent rejoining an AIM chat room without reopening iChat.
  • Addresses video chat compatibility issues with AIM 6 and third-party routers.
  • Fixes an issue with case-sensitivity of AIM handles.

iSync

  • Adds support for Samsung D600E and D900i phones.

Finder

  • Addresses an issue in which Finder could unexpectedly quit when displaying folder contents in Column view.
  • Addresses an issue in which Finder could unexpectedly quit when accessing Users and Groups in a Get Info pane.
  • Resolves an issue that prevented setting permissions on a folder alias.
  • Resolves an issue in which the Eject command could write to a disc in the optical drive.
  • Fixes an issue in which the scroll bar might disappear when deleting a file within a folder that includes files that are out of view.
  • Fixes an issue in the Sharing & Permissions section of Get Info windows, in which the gear icon appears to be gray/disabled after authentication.
  • Addresses an issue in which the Show Icon Preview preference might not be not saved when turning it off.
  • Fixes an issue that could occur when trying to print an image from the Finder. 

Mail

  • Addresses an issue with Message menu's "Mark As Read" choice.
  • Fixes an issue in which duplicate On My Mac folders may appear in the sidebar after upgrading to Leopard.
  • Improves the accuracy of the Data Detectors feature.
  • Resolves an issue with scrolling through a Note that is displayed using the split view in the message window.
  • Fixes an issue with deleting messages located in the Drafts folder.
  • Fixes an issue in which dragging the icon in the Safari URL field into a Mail message creates an attachment instead of a link.
  • Addresses an issue found when opening a item in the Notes folder that is not a Note.
  • Fixes an issue that may prevent RSS feeds from being delivered in Mail.
  • Resolves an issue in which a selected message could "flash" from blue to gray when in Organize by Thread mode.
  • Fixes an issue with scrolling between multiple To Dos in an email message.
  • Fixes an issue in which the body of email messages with certain MIME structures may not be displayed.
  • Improves performance with America Online (AOL) account-based messages in Mail.
  • Addresses issues with some ISPs during automatic set-up in Mail.
  • Addresses an issue in which Mail might not send mail on some networks to some SMTP servers.
  • Mail now automatically disables the (unsupported) third-party plugin GrowlMail version 1.1.2 or earlier to avoid issues.
  • Adds an option to view large icons in the Mailbox list.

Networking

  • Addresses a hanging issue that may occur when connecting to an AFP network volume.

Parental Controls

  • Improves stability when opening the Parental Controls System Preferences pane.
  • Fixes an issue that may prevent changes to the email address for permission requests.
  • Addresses an issue with printer administration for a guest account enabled with Parental Controls.
  • Addresses an issue with setting printer administration privileges from another Mac on the local network.
  • Fixes an issue that could prevent certain applications from being allowed.
  • Addresses accuracy issues with the web content filter. 

Preview

  • Improves stability when scrolling through a PDF document.
  • Fixes an issue that prevents tabbing within a PDF document after clicking on the PDF.
  • Improves the Mail Document feature so that email attachments are more reliably created from Print Preview. 

Printing

  • Addresses an issue in which remote printers may be deleted when the computer is put to sleep.
  • Improves printing performance when using some Microsoft Office applications.
  • Resolves an issue with some printing options, such as landscape orientation, number of copies, two-sided printing, and so forth that may not have functioned with some printers shared by Microsoft Windows.
  • Adds support for certain printers connected to the USB port of an AirPort Extreme or AirPort Express base station.
  • Resolves a stalling issue that could occur when installing certain Canon printing software from a disc.

RAW Image

  • Adds RAW image support for several cameras, as detailed in this article.

Safari

  • Addresses issues with Safari reliably resolving certain domains.

Login and Setup Assistant

  • Addresses an issue in which Setup Assistant could unexpectedly appear each time Mac OS X 10.5 starts up.
  • Improves stability and performance during log in.

System

  • Improves the accuracy of the grammar checker.
  • The computer will now shut down if an automatic disk repair does not succeed during startup. 

Time Machine

  • Adds a menu bar option for accessing Time Machine features (the menu extra can be enabled in Time Machine preferences).
  • Improves backup reliability when computer name contains slash or non-ASCII characters.
  • Fixes an issue in which the backup disk displayed in the Finder may be out of sync with the disk chosen for Time Machine.
  • Addresses issues in which some external drives are not recognized by Time Machine.
  • The status menu now appears by default.

Other

  • Improves general stability when running third-party applications.
  • Addresses an issue in which the incorrect search results may be displayed for certain Automator Find/Filter actions.
  • Addresses an issue with the Latvian and Russian keyboard layouts.
  • Addresses an issue in which the backlight could turn off before Energy Saver's backlight setting.

And as for Security Update 2008-0001

Mac OS X v10.5.2 / Security Update 2008-001


  • Directory Services

    CVE-ID: CVE-2007-0355

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.

  • Foundation

    CVE-ID: CVE-2008-0035

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution

    Description: A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.5.

  • Launch Services

    CVE-ID: CVE-2008-0038

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: An application removed from the system may still be launched via the Time Machine backup

    Description: Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup. This update addresses the issue by not allowing applications to be launched directly from a Time Machine backup. This issue does not affect systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery Software Ltd. and Ian Coutier for reporting this issue.

  • Mail

    CVE-ID: CVE-2008-0039

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Accessing a URL in a message may lead to arbitrary code execution

    Description: An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This update addresses the issue by displaying the location of the file in Finder rather than launching it. This issue does not affect systems running Mac OS X v10.5 or later.

  • NFS

    CVE-ID: CVE-2008-0040

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: If the system is being used as an NFS client or server, a remote attacker may cause an unexpected system shutdown or arbitrary code execution

    Description: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.

  • Open Directory

    Available for: Mac OS X v10.4.11, Mac OS X v10.4.11 Server

    Impact: NTLM authentication requests may always fail

    Description: This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This update addresses the issue by correcting the race condition that could terminate winbindd. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory.

  • Parental Controls

    CVE-ID: CVE-2008-0041

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Requesting to unblock a website leads to information disclosure

    Description: When set to manage web content, Parental Controls will inadvertently contact www.apple.com when a website is unblocked. This allows a remote user to detect the machines running Parental Controls. This update addresses the issue by removing the outgoing network traffic when a website is unblocked. This issue does not affect systems prior to Mac OS X v10.5. Credit to Jesse Pearson for reporting this issue.

  • Samba

    CVE-ID: CVE-2007-6015

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow "domain logons", an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected. This update addresses the issue by applying the Samba patch. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html Credit to Alin Rad Pop of Secunia Research for reporting this issue.

  • Terminal

    CVE-ID: CVE-2008-0042

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved validation of URLs. Credit to Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.

  • X11

    CVE-ID: CVE-2007-4568

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Multiple Vulnerabilities exist in X11 X Font Server (XFS) 1.0.4

    Description: Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

  • X11

    CVE-ID: CVE-2008-0037

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Changing the settings in the Security Preferences Panel has no effect

    Description: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.



 Subscribe in a reader

No comments: