Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Wednesday, 13 May 2009 09:39

Mac OS X 10.5.7 finally arrives: dozens of security fixes

Well, it's finally here. Mac OS X 10.5.7 delivers a swag of bug fixes, including many with security implications. There's a corresponding security update for 10.4 Tiger.

In Apple's words, "The 10.5.7 Update is recommended for all users running Mac OS X Leopard and includes general operating system fixes that enhance the stability, compatibility and security of your Mac."

That's pretty much all the company ever thinks The Rest Of Us need to know about updates. Enhanced stability, compatibility and security can't be bad, can it?

Additional information is available if you dig deeper on Apple's web site, though (at the time of writing) you had to work around a link to the wrong support article. The one you need is here.

So what are the highlights?

As expected, several syncing issues have been addressed, in particular iCal syncing with MobileMe, Mail with Notes, and Address Book with Yahoo!.

Talking of third party services, the update also takes care of "issues" that may have been occurring when logging into Gmail.

What else has been fixed? Find out on page 2.

Parental Controls are supposed to work more consistently, including a bug fix involving time limits and full-screen games and fast user switching.

Video playback and cursor movement has been improved on recent models with Nvidia graphics chips.

The "reliability and accuracy" of certain widgets has been improved (yes, we would like accurate unit conversion, thank you).

Most of the other changes listed apply to relatively unusual circumstances, such as the Dvorak keyboard layout, network home directories on Mac OS X Server 10.4, and various printing issues.

What about security?

46 fixes are catalogued in total, with just two of them applying exclusively to Mac OS X 10.4. Over half of the issues potentially allow the execution of arbitrary code.

Updated components include Apache, Apple Type Services, BIND, CFNetwork, CoreGraphics, Cscope, CUPS, Disk Image handling (two issues that could lead to arbitrary code execution), enscript, Flash Player, Help Viewer (two issues that could lead to arbitrary code execution), iChat, Unicode string handling, IPSec, Kerberos (multiple issues), Launch Services, libxml, Net-SNMP, Network Time, Networking, OpenSSL, PHP (the update delivers PHP 5.2.8, even though version 5.2.9 was released in February), QuickDraw Manager, ruby, Safari, Spotlight (a vulnerability in the Microsoft Office importer), system_cmds, telnet, WebKit, and X11 (multiple issues).

Some of these deserve a closer look, so please read on.

At least 18 of the issues relate to open source components used by Apple.

The Apple Type Services (ATS) issue is particularly interesting, as it is presumably the bug exploited by Charlie Miller to win the Pwn2Own contest at CanSecWest earlier this year, as he is not credited with reporting any other issues. The problem was that "Viewing or downloading a
document containing a maliciously crafted embedded CFF [Compact Font Format] font may lead to arbitrary code execution."

If this is the bug in question, then some of the criticism of Safari following Pwn2Own was misplaced.

The CoreGraphics bugs are also noteworthy, as they include multiple PDF issues, with at least one apparently similar to a recent Adobe Reader/Acrobat vulnerability. There were reports at the time that other vendors' PDF implementations were also vulnerable, and they have been borne out.

Some of the libxml, Safari and WebKit bugs have also been bundled into Safari 3.2.3 for Windows, Leopard and Tiger; and into the Safari 4 Beta Update for Mac OS X and Windows.

The updates are available via Software Update (Apple Software Update on Windows) or from Apple's Support Downloads page.

File sizes vary widely. The Mac OS X 10.5.7 update varies from 442M for the standalone updater to 951M for the combo updater for the server edition. Depending on the updates already installed, using Software Update may result in a smaller download.

Security Update 2009-002 for Tiger varies from 75M for the PowerPC updater to 203M for the Server Universal version.

Safari 3.2.3 is 40M for Leopard, 26M for Tiger, and 20M for Windows.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News