Apple patches vulnerabilities with new update
Apple released Security Update 2010-005 which increases the stability, compatibility, and security of your Mac.
A stack buffer overlow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.
CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections. This issue does not affect systems prior to Mac OS X v10.6.3.
Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.96.1. ClamAV is distributed only with Mac OS X Server systems.
A heap buffer overflow exists in CoreGraphics’ handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
An issue exists in the handling of certificate host names. For host names containing three or more components, the last characters are not properly compared. In the case of a name containing exactly three components, only the last character is not checked. For example, if an attacker in a privileged network position could obtain a certificate for www.example.con the attacker can impersonate www.example.com. This issue is addressed through improved handling of certificate host names.
A buffer overflow exists in PHP’s libpng library. Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitary code execution. This issue is addressed by updating libpng within PHP to version 1.4.3. This issue does not affect systems prior to Mac OS X v10.6.
PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most serious of which may lead to arbitary code execution.
A buffer overflow exists in Samba. An unauthenticated remote attacker may cause a denial of service or arbitrary code execution by sending a maliciously crafted packet. This issue is addressed by performing additional validation of packets in Samba.