Apple patches Mac security flaws

The software vendor issued an update to address 45 flaws, including several kernel issues, disk image handling problems and AppleTalk networking troubles.

Apple Computer has issued a security update that addresses 45 flaws found within the operating system and some third-party applications.

The company addressed some critical IT security issues with the software maker's software, which were discovered as part of the Month of Apple Bugs and the Month of Kernel Bugs. It also fixes some third-party applications, such as Adobe Systems Flash Player and the MySQL database.

Several security flaws could be exploited by an attacker to conduct a denial-of-service DDoS attack or elevate privileges to access data, according to a security alert issued by Apple. Other flaws could allow an attacker to gain full control over a victim's computer.

Apple Mac OS X and Mac OS X server versions 10.4.8 and earlier are affected. The software vendor said its automatic update would fix the issues.

In an advisory it released on the issues, security vendor Symantec said it was unaware of any exploits in the wild.

"To exploit some of these issues, an attacker must entice an unsuspecting user to execute a malicious file," Symantec said.

A stack-based buffer-overflow vulnerability affects the handling of images with embedded ColorSync profiles. Also found was an unspecified memory-corruption vulnerability affecting the 'diskimages-helper' when arbitrary disk images are mounted.

The AppleTalk networking protocol handler contains a memory corruption issue and a heap bugger overflow vulnerability that may lead to a denial of service or arbitrary code execution.

An authentication-bypass vulnerability was discovered, which is attributed to a flaw in the DirectoryService. It allows unprivileged LDAP users to modify the local root password.

AppleSingleEncoding disk images is also affected by an integer-overflow vulnerability and a flaw triggered by incomplete SSL connections with the CUPS service opens the operating system to a denial-of-service attack, Symantec said.

Flaws were found in the SSH key creation process; insufficient controls in the IOKit HID interface; an insecure command-execution issue affecting the initialization process of USB printers; and an unspecified memory-corruption flaw, which arises during the handling of RAW Image files.

Symantec credited Andrew Garber of University of Victoria, Alex Harper, Michael Evans, and Luke Church of the Computer Laboratory at the University of Cambridge, Jeff Mccune of The Ohio State University, and Cameron Kay of Massey University, New Zealand with the discovery of some of the issues.

Read more on Hackers and cybercrime prevention