Apple released a patch on Wednesday that closed a serious denial-of-service bug that affects most standard implementations of the Internet Protocol version 6.
The issue, highlighted by two researchers at the CanSecWest Conference in April, could be used to amplify denial-of-service attacks on systems that support the Internet Engineering Task Force (IETF) standard for the next-generation Internet protocol. The IPv6 standard had allowed the source of a network packet to determine the data's path through the network, giving an attacker the ability to create malicious network packets capable of bouncing between routers tens of times.
"Depending on network topology and capacity, the reception of specially crafted IPv6 packets may lead to a reduction in network bandwidth," Apple stated in its patch advisory.
The update for the single flaw brings the total number of Mac OS X vulnerabilities publicly fixed by Apple in 2007 to 112, including two QuickTime flaws that the company fixed at the end of May. Earlier this month, the company also fixed a number of flaws found in a beta version of its Safari browser for Windows.
The IPv6 flaw only affects users of Mac OS X 10.4 (corrected), not previous versions of the operating system. The patch can be downloaded and installed using the Mac OS X's Software Update preferences or directly from Apple's Downloads site.
Apple also released on Wednesday a patch for its multimedia hub, Apple TV, to fix a remotely exploitable vulnerability. The update will automatically be downloaded and installed.
CORRECTION: The article originally misstated the version of Mac OS X impacted by the vulnerability. All revisions of Mac OS X 10.4, except version 10.4.10, are affected. Mac OS X 10.4.10 fixes the vulnerability.
Posted by: Robert Lemos