Apple issues security update for 18 vulnerabilities

Apple has patched 18 vulnerabilities in Mac OS X.

Share

Apple has patched 18 vulnerabilities in Mac OS X.

The patches include half a dozen that could let hackers hijack machines by duping users into viewing malicious image files on the web.

Security Update 2009-003, which was distributed along with Mac OS X 10.5.8 for Leopard users and delivered separately to Tiger users, plugged holes in components ranging from ColorSync and Dock to the kernel and MobileMe, Apple's for-pay sync and storage service.

But it was the six vulnerabilities in various image file formats that caught the eye of Andrew Storms, director of security operations at nCircle Network Security.

"The PNG [Portable Network Graphics] bug is the most interesting," said Storms of the half-dozen image file flaws. "It's a pervasive format that's frequently on websites," he added, noting that attackers could trigger the bug simply by getting users to visit malicious sites, a common tactic in the Windows hacker world.

"It's easy enough to host one of these malicious files on [a hacker's] Web site," Storms added.

Apple patched four flaws in the ImageIO component of the Mac's operating system related to its handling of OpenEXR images, a format developed by Lucasfilm's Industrial Light and Magic visual effects studio in 1999 and released to open-source four years later.

The sixth image vulnerability, also in ImageIO, could be exploited by malformed Canon RAW photographic files.

Today's security release was Apple's smallest this year by vulnerability count. In May, for example, the California-based computer company quashed 67 bugs, while February's security update patched 55.

Storms saw other oddities this time around. "Usually, we see a lot of Safari or WebKit vulnerabilities, or bugs in a lot of third-party components," he said. "Today, we got neither."

Find your next job with computerworld UK jobs