The Cupertino, Calif.-based company addressed some critical issues with the software maker's software, which were discovered as part of the Month of Apple Bugs and the Month of Kernel Bugs.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
It also fixes some third-party applications, such as Adobe Systems Flash Player and the MySQL database.
Several flaws could be exploited by an attacker to conduct a denial-of-service DDoS attack or elevate privileges to access data, according to a security alert issued Tuesday by Apple. Other flaws could allow an attacker to gain full control over a victim's computer.
Apple Mac OS X and Mac OS X server versions 10.4.8 and earlier are affected. The software vendor said its automatic update would fix the issues.
In an advisory it released on the issues, security vendor Symantec said it was unaware of any exploits in the wild.
"To exploit some of these issues, an attacker must entice an unsuspecting user to execute a malicious file," Symantec said.
A stack-based buffer-overflow vulnerability affects the handling of images with embedded ColorSync profiles. Also found was an unspecified memory-corruption vulnerability affecting the 'diskimages-helper' when arbitrary disk images are mounted.
The AppleTalk networking protocol handler contains a memory corruption issue and a heap bugger overflow vulnerability that may lead to a denial of service or arbitrary code execution.
An authentication-bypass vulnerability was discovered, which is attributed to a flaw in the DirectoryService. It allows unprivileged LDAP users to modify the local root password.
AppleSingleEncoding disk images is also affected by an integer-overflow vulnerability and a flaw triggered by incomplete SSL connections with the CUPS service opens the operating system to a denial-of-service attack, Symantec said.
Flaws were found in the SSH key creation process; insufficient controls in the IOKit HID interface; an insecure command-execution issue affecting the initialization process of USB printers; and an unspecified memory-corruption flaw, which arises during the handling of RAW Image files.
Symantec credited Andrew Garber of University of Victoria, Alex Harper, Michael Evans, and Luke Church of the Computer Laboratory at the University of Cambridge, Jeff Mccune of The Ohio State University, and Cameron Kay of Massey University, New Zealand with the discovery of some of the issues.