Apple has released the year"s fifth major security update for Mac OS X to patch 17 vulnerabilities, the first time this year that an OS security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Eight out of the 17 exploits could do no more damage than to generate a denial of service of, or crash, the affected component. Only five of the patched vulnerabilities could result in an attacker executing his own code. Apple"s year-to-date patch total may be over 100, but this month included fixes for fewer flaws than last month (25) and the month before (45).
Among the serious bugs is one in how Mac OS X 10.4 handles PDF files. "By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution," Apple"s advisory said. Attacks sporting this strategy, although rare on Macs, would mean Apple"s users would have to be careful when opening attachments. Another dangerous flaw fixed exists in the code that maps ports on home networks in iChat, Apple"s instant messaging service and software. An attacker with access to the local network to exploit the bug could send a malformed packet to trigger a buffer overflow, which could then be used to add malicious code to the Mac. Other parts of Mac OS X that were patched include Berkeley Internet Name Domain, the de facto standard Domain Name System server software, which was patched against four vulnerabilities; the Ruby CGI library (two vulnerabilities); and Fetchmail (one vulnerability).