Apple releases Security Update 2008-002

Among the most heavily addressed areas are AppKit, the CUPS unix printing environment, Foundation, and X11 — all of which contained vulnerabilities that could lead to arbitrary code execution, unexpected application termination, or grant attackers unauthorized access to various system components.

A number of password and authentication issues were also addressed in the areas of Kerberos, Podcaster, Preview and Printing. For example, Apple said Mac OS X Server's Podcast Producer included a component that provided passwords to a subtask through arguments, potentially exposing the passwords to other local users. Likewise, Preview and Printing services contained flaws that could expose the contents of an encrypted PDF without prompting the user for a password.

Meanwhile, an Image Raw-related glitch made it possible for a maliciously crafted image to lead to an unexpected application termination or arbitrary code execution.

"A stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution," Apple said. "This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5."

Other fixes address vulnerabilities in Apache, AFP, Application Firewall, CFNetwork, ClamAV, CoreFoundation, CoreServices, curl, Emacs, libc, mDNSResponder, notifyd, OpenSSH, pax archive utility, PHP, System Configuration, UDF, and Wiki Server. A full list is available here.

Security Update 2008-002 is available in three distinct distributions each for Mac OS X Client (Leopard, Universal, PPC) and Mac OS X Server (Leopard, Universal, PPC). Alternatively, you can run the Mac OS X Software Update mechanism located under the Apple menu to automatically receive the appropriate update for your system.