Apple delivers Leopard, Tiger security updates

Apple late on Monday released fixes for its Tiger and Leopard operating systems (OS), patching a total of 13 vulnerabilities between security updates.

The release upgrades Leopard users to Mac OS X 10.5.2 and provides an update - the first of the year - for Mac OS X 10.4.11 users.

The new version of Leopard corrects eight vulnerabilities comprising a number of OS components and protocols: Foundation, Launch Services, NFS, Parental Controls, Samba, Terminal and X11.

The update for Tiger plugs five holes - three unique for Leopard - including Directory Services, Mail and Open Directory.

Perhaps the most interesting patch is for Launch Services, which is an application programming interface used to open applications, documents and URLs, Apple said. The problem, though, is that Launch Services still may allow an uninstalled application to open if it remains in the Time Machine backup.

"This was a pretty serious bug because imagine if you got some sort of trojan horse but you deleted it and still got a backup of it and you didn't know you had a backup of it," Peter James, a spokesman for Mac security software maker Intego, told SCMagazineUS.com today. "It could launch something that is extremely malicious."

The fix now allows users to be notified in their menu bar when a backup is taking place, without being forced to manually look it up, Joel Esler, a security consultant and incident handler with the SANS Internet Storm Center, told SCMagazineUS.com today in an email.

The Directory Services privilege-escalation vulnerability, which could be exploited to cause a stack-based buffer overflow, was disclosed by researcher Kevin Finisterre during last January's "Month of Apple Bugs."

The Foundation error, meanwhile, involves a memory corruption error in the way the Safari browser handles URLs, according to Apple. Malicious individuals can exploit the flaw to execute arbitrary code.

The vulnerability in the Mail application could allow users to be hit with malware just by clicking on a URL in a message, Apple said. Similarly, the bug in the open source printing protocol Samba, could permit the installation of malicious code when processing certain Net BIOS Name Service requests.

Esler said that as Mac OS X gains market share, hackers will increasingly target the platform. However, he said, Apple has done a good job of eliminating legacy hardware and software that could open the door for vulnerabilities.

"Windows has had to drag all this old code along in each of their OS updates, and while Microsoft has made a lot of progress in recent years with the security of its platform, the same old spyware, malware, trojans, worms and viruses are still a problem," Esler said.

The release from Apple came less than 24 hours before Microsoft was set to deliver a dozen fixes as part of its monthly "Patch Tuesday" security roundup.

Sign up to our newsletters