Apple patches a batch of Mac OS X flaws

Apple Computer on Tuesday released 20 patches for its OS X operating system designed to fix flaws that could catch users off-guard.

The vulnerabilities apply to Mac OS X v10.3.9 and Mac OS X Server 10.3.9, according to Apple's advisory. The announcement comes roughly a month after Apple issued nearly a dozen patches for its Mac OS.

The advisory also falls just days after Apple's much ballyhooed release of the latest version of its operating system, Mac OS X 10.4, widely known as Tiger. The flaws were already addressed in Tiger, so the patches apply only to the previous version, known as Panther.

Security company Secunia on Wednesday rated Apple's OS X flaws as "highly critical". Among the flaws of greatest concern is a vulnerability in the OS X AppKit that relates to the handling of TIFF graphics files.

"If people view a malicious TIFF, it could result in running arbitrary code," said Thomas Kristensen, chief technology officer for Secunia. "TIFF is usually viewed as a safe form to view things, so this makes it more critical."

Another issue of concern is an AppleScript flaw. If users visit a Web site and accept AppleScript from that site, they could find it executing different code to what they had expected, Kristensen added.

A flaw affecting the Apache Web server, meanwhile, could allow a buffer overflow in the htdigest program, which if used improperly in a CGI application could, in turn, allow a remote system attack.

Kristensen downplayed the Apache flaw. "Apache is an important bug fix, but it would be unusually difficult to exploit and it would need an unusual configuration," he said.

Two vulnerabilities were also found in the operating system's Bluetooth wireless capabilities. One could allow files to be shared without properly notifying the user, while another could be used by a malicious attacker to access files outside the default file exchange directory via the Bluetooth file and object exchange services.

Another flaw could allow directory services to be altered to give privileges to someone who is unauthorised to have them, according to the advisory.

Apple's OS X patch announcement also includes fixes for Finder, Foundation, Help Viewer, LDAP, libXpm, lukemftpd, NetInfo, Server Admin, sudo, Terminal and VPN.

Apple has no fixed schedule for issuing patches. By contrast, Microsoft in late 2003 moved to a monthly release of security fixes, and Oracle has adopted a similar practice, but on a quarterly basis.