Apple releases fixes for Mac OS X, iPhone vulnerabilities

The fix to Mac OS X addresses multiple vulnerabilities, some rated as highly critical by security advisory service Secunia. These vulnerabilities include the possibility of bypassing security, cross-site scripting, spoofing, manipulating data, exposing sensitive information, escalating privileges, denial of service and unauthorized system access. The fix is available for Mac OS X and Mac OS X Server versions 10.3.9 and 10.4.10. This is the largest Mac OS X fix since January 2007.

While several of these vulnerabilities require the user to click on specially crafted URIs, open special files or visit special Web sites, many allow direct interference by malicious users. Several of the vulnerabilities permit remote manipulation. The vulnerabilities involve operating system components such as CFNetwork, CoreAudio, cscope, iChat, Kerberos, mDNSResponder, PDFKit, PHP, Quartz Composer, Samba, Squirrelmail, Apache Tomcat, WebCore, WebKit, Safari, bzgrep, bzip2, gnuzip and zgrep.

The iPhone flaw involves a weakness in the device's version 1.0 software involving several Web access vulnerabilities. These vulnerabilities include cross-site scripting, unexpected application termination, spoofing or arbitrary code execution. The vulnerabilities involve components such as Safari, WebCore and WebKit. The version 1.0.1 update is only available through iTunes.

The iPhone update comes after a group of security researchers last week became the first to demonstrate how to take control of the Apple iPhone (.pdf).

The first attack scenario is a straightforward one in which the attacker sends an Apple iPhone user an email containing a link to a malicious Web site. Once the user clicks on the link, the attacker's Web server exploits a flaw in the Safari browser that runs on the phone and takes control of the device.

The researchers, Charlie Miller, Joshua Mason and Jake Honoroff, also used a second HTML-based exploit to force the iPhone to perform some trivial functions, such as buzzing and vibrating. However, they said the same attack could be used to exploit additional APIs in the phone to make calls, send text messages or record conversations and send them to a third party.

The trio of experts at Baltimore-based Independent Security Evaluators, will discuss their findings at the Black Hat USA conference in Las Vegas this week.