Apple’s October Mac OS X Security Update Fixes 20 Flaws

Apple has released Security Update 2008-007, a new security patch for client and server versions of Mac OS X 10.5 “Leopard” and Mac OS X 10.4.11. The update fixes twenty security vulnerabilities, improves the general security of Mac OS X and is recommended for all users. Apple says that previous security updates have also been incorporated into this update.

Security Update 2008-007 is available via Software Update and also via standalone installers. Following is an overview of most important fixes.

Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.

Multiple vulnerabilities that existed in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution, have been fixed. ClamAV is the open-source anti-virus software included on Mac OS X Server. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems.

MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

A problem with the Finder’s error recovery feature, which may lead to a denial of service attack, has also been fixed. An issue with the Postfix configuration files, which may allow a remote attacker to send mail directly to local users, has been addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines.

A vulnerability in the Script Editor application that may allow a local user to gain the privileges of another user that is using Script Editor, has been addressed by creating the temporary file in a secure location.

Available Updates:

Security Update 2008-007 Server (Universal) - 199MB (download)
Security Update 2008-007 Server (PPC) - 123MB (download)
Security Update 2008-007 Client (PPC) - 70MB (download)
Security Update 2008-007 Client (Intel) - 161MB (download)
Security Update 2008-007 Server (Leopard) - 125MB (download)
Security Update 2008-007 Client (Leopard) - 31.MB (download)