Apple has dropped another mega-patch to cover a total of 58 documented vulnerabilities affecting the Mac OS X ecosystem.
The majority of the flaws could allow a remote attacker to gain complete control of an unpatched system, meaning that this update carries an “extremely critical rating.”
It includes patches for open-source components like Apache and PHP and security holes in the QuickTime media player.
Here’s a glimpse of some of the more serious issues covered in the Security Update 2009-006/Mac OS X v10.6.2 patch bundle:
- AFP Client — Multiple memory corruption issues exist in AFP Client. Connecting to a malicious AFP Server may cause an unexpected system termination or arbitrary code execution with system privileges.
- Apache — Apache is updated to version 2.2.13 to address several vulnerabilities, the most serious of which may lead to privilege escalation. A separate patch corrects a flaw that allows an attacker to use the TRACE HTTP method in the Apache Web server to conduct cross-site scripting attacks through certain web client software.
- Apache Portable Runtime — Multiple integer overflows in Apache Portable Runtime (apr) may lead to an unexpected application termination or arbitrary code execution.
- ATS — Multiple buffer overflows exist in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
- CoreGraphics — Multiple integer overflows in CoreGraphics’ handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
- CoreMedia — Memory corruption and heap buffer overflow issues exist in the handling of H.264 movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution.
- CUPS — An issue in CUPS may lead to cross-site scripting and HTTP response splitting. Accessing a maliciously crafted web page or URL may allow an attacker to access content available to the current local user via the CUPS web interface. This could include print system configuration and the titles of jobs that have been printed.
- Dictionary — A design issue in Dictionary allows maliciously crafted Javascript to write arbitrary data to arbitary locations on the user’s filesystem. This may allow another user on the local network to execute arbitrary code on the user’s system.
- DirectoryService — A memory corruption issue exists in DirectoryService. This may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update only affects systems configured as DirectoryService servers.
- Disk Images — A heap buffer overflow exists in the handling of disk images containing FAT filesystems. Downloading a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.
- Dovecot — Multiple buffer overflows exist in dovecot-sieve. By implementing a maliciously crafted dovecot-sieve script, a local user may cause an unexpected application termination or arbitrary code execution with system privileges.
- ImageIO — A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- Kernel — Multiple input validation issues exist in Kernel’s handling of task state segments. These may allow a local user to cause information disclosure, an unexpected system shutdown, or arbitrary code execution.