Apple on Wednesday issued updates to its product line, repairing flaws in the Mac OS X and OS X Server that could...
be exploited by an attacker to gain access to sensitive files.
In all, more than 40 fixes were released. The Cupertino, Calif.-based company issued the latest Leopard edition, Mac OS X version 10.5 and also included the Apple security update for Mac OS X version 10.4.11 and Mac OS X Server version 10.4.11.
The update is available from the Mac Software Update control panel or as a download from Apple's Web site.
It repairs one of three flaws in iCal discovered by Core Security Technologies. Core said "the vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application."
Apple patched what Core called the most serious of the three vulnerabilities. A potential memory corruption could be exploited by attackers by using a malicious calendar file. If successfully exploited, Apple said the flaw could lead to an unexpected application termination or arbitrary code execution.
Other fixes corrected a bug in Apple CoreGraphics, which repairs a bug in the handling of PDF files. Opening a maliciously crafted PDF file may cause an unexpected application termination or arbitrary code execution, apple said.
A bug in Apple's Safari browser was also repaired. Safari's SSL client had a problem with certificate handling that could lead to disclosure of sensitive information to unauthorized websites. This update adds a feature prompting the user before sending the certificate.
Apple also repaired a number of bugs in the way Mac OS X handles image files. An out-of-bounds memory read error, and an integer overflow in the handling error could lead to information disclosure and arbitrary code execution. Several vulnerabilities in libpng, a library used when handling Portable Network Graphics (PNG) image format files, could be exploited to cause a remote denial of service.