Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Apple Releases OSX 10.5.6/Security update 2008-008 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple Releases OSX 10.5.6/Security update 2008-008

Apple's released an update for OSX, you can now download 10.5.6 through the Software Update app.

It patches a large number of vulns, here are just the CVEs:

  • CVE-2008-4236 - Apple Type Services malicious PDF font DoS
  • CVE-2008-4217 - BOM CPIO archive code execution
  • CVE-2008-3623 - CoreGraphics heap overflow via malicious image
  • CVE-2008-3170 - CoreServices/Safari user credential disclosure
  • CVE-2008-4234 - CoreTypes failure of Download Validation (no warning when you launch downloaded content)
  • CVE-2008-4818 - Flash Player plug-in issues (as per previous entries earlier in the summer)
  • CVE-2008-4819 - Flash Player plug-in issues
  • CVE-2008-4820 - Flash Player plug-in issues
  • CVE-2008-4821 - Flash Player plug-in issues
  • CVE-2008-4822 - Flash Player plug-in issues
  • CVE-2008-4823 - Flash Player plug-in issues
  • CVE-2008-4824 - Flash Player plug-in issues
  • CVE-2008-4218 - Kernel integer overflow allowing local priv escalation
  • CVE-2008-4219 - Kernel - system crash when you use dynamic libraries on an NFS share
  • CVE-2008-4220 - Libsystem integer overflow in the inet_net_pton API (gives code execution)
  • CVE-2008-4221 - Libsystem "memory corruption" via the strptime API (gives code execution)
  • CVE-2008-1391 - Libsystem - a whole pile of integer overflows in  the strfmon API (gives code execution)
  • CVE-2008-4237 - Managed Client doesn't apply managed screen saver settings correctly
  • CVE-2008-4222 - network_cmds - DoS via custom TCP packet when Internet Sharing is enabled
  • CVE-2008-4223 - Podcast Producer auth bypass allows a remote attacker access to the admin functions
  • CVE-2008-4224 - UDF - a specially built ISO file can cause a system crash.

You can get the update via Software Update or from: http://www.apple.com/support/downloads/

The hashes are as follows:

For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded

For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4

For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac

For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c

We'll be updating as we have any additional information about the update

Toby

68 Posts
Dec 15th 2008

Sign Up for Free or Log In to start participating in the conversation!