Mac maker Apple released an update for the Mac OS X operating system on Thursday to close denial-of-service and remote execution flaws in various system components, including an issue found, but not exploited, by researchers at the CanSecWest conference.
In total, the update closes 17 flaws, according to an advisory released by the company. The patch includes fixes for a number of flaws that could be used to run code on the Mac OS X, including an issue in the CoreGraphics functions that could be triggered by a maliciously crafted PDF file, security holes in iChat and the mDNSResponder component that could allow an attacker on the local network to compromise a Mac, and a flaw in Fetchmail that could leak a user's e-mail passwords.
Flaws in the Apple operating system were highlighted in April, when security researcher Dino Dai Zovi found a QuickTime flaw to win the CanSecWest PWN to Own competition. The contest tasked researchers to compromise either of two MacBook Pros placed on a closed network. Dai Zovi won a $10,000 bounty offered by TippingPoint, the security division of networking giant 3Com, while another researcher who actually executed the attack took home the computer.
Researchers from Juniper Networks had found the flaw in the mDNSResponder component of the Mac OS X at the CanSecWest Conference. SecurityFocus first covered the discovery but did not identify the flaw. Apple credited Mike Lynn, a researcher at Juniper Networks, with the discovery.
The patch marks the fifth major update for Apple in 2007, bringing the total number of flaws fixed in 2007 to 109, not counting a patch to the Darwin Streaming Server last week and three fixes for the Airport Extreme wireless base station.
Posted by: Robert Lemos