Apple Fixes hole in Mac OS X With Security Updates 2009-003

By Partho, Gaea News Network
Thursday, August 6, 2009

apple-security-updateFor years now, Apple had been bragging about its virtually impregnable OSes. It’s high-time that the Cupertino company stand up to its words. Apple has released a security update providing fixes for 18 vulnerabilities running in Mac OS X. The loop holes in Mac OS X could be exploited by hackers to hijack machines by duping users into viewing malicious image files on the Web. Apple would be distributing Security Update 2009-003 with Mac OS X 10.5.8 for Leopard users and delivered it separately for Tiger users. The Security Update has been devised to plug holes in various components like Apple’s for-pay sync and storage service ranging from ColorSync and Dock to the MobileMe and kernel.

Security Loop holes

According to Andrews Storms, director of security operations at nCircle Network Security,

The PNG [Portable Network Graphics] bug is the most interesting.

out of the six image file bug. PNG is a widely used format on Web sites. This makes it all more comfortable for hacker to trigger the bug by simply getting the users to visit the website.

However, Storm adds that it’s quite easy for the hackers to host one of these malacious sites.

Apple’s security update also included patch up for four flaws in the ImageIO component of Mac’s operating system related to its handling of OpenEXR images. It is a format developed by Lucasfilm’s Industrial Light and Magic visual effects studio. The sixth image vulnerability also related to ImageIO, which is vulnerable to malformed Cannon RAW photographic files.

Today’s security release is the smallest this year by vulnerability count.

Commendably, Apple has worked up to the Safari or WebKit vulnerabilities, or bugs that existed in a lot of third-party components. Now they are all gone.

Apple also The MobilMe vulnerabilities are not much serious, but might be used by scheming friends or co-workers to access someone’s account. There’s a bug in MobileMe preference pane.

Actually signing out of the preference pane doesn’t delete all the credentials. Anybody having access to local user accounts might continue to access any other system associated with MobileMe account which has been signed in previously. This is quite important, as MobileMe is one of the prime services offered by Apple.

Out of the total 18 vulnerabilities, the major half, 10 of them were labeled as Apple’s arbitrary code execution. These loop holes were critical and could have been used to compromise a Mac system.  Unlike other vendors such as Microsoft and Oracle, Apple doesn’t assign a threat ranking to the bugs.

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :