Apple releases Mac OS X 10.5.4 update with new security fixes

In a notice on its corporate Web site today, Apple said it had released a wrap-up of general operating system stability and security improvements, including several that address malicious crafting exploits.

One new security update released today and incorporated into the version 10.5.4 package addresses a series of problems uncovered by, and attributed to, UK-based software developer and consultant James Urquhart, who himself does not claim to be a security engineer. A recent Secunia software advisory also credits Urquhart, who was also able to locate a problem with versions of Safari for Windows prior to version 3.1.2 (obviously not addressed by today's Mac OS X update).

Reports from as early as January 2006 reveal that Mac OS X has suffered from problems dealing with maliciously encoded GIF files. If a GIF image file can be crafted so that the image contents overwrite where the interpreter is expecting the image to terminate, an error condition can be triggered. And apparently in the revelation or disclosure of that error, information is divulged which lets an exploiter read the contents of the remote client system's memory.

Another problem with the handling of JavaScript arrays, which would normally be expected to terminate code execution, can lead to arbitrary code being executed instead. This latest operating system update addresses both of these issues.

Users who have already gotten an early glimpse of the terms of service for Apple's MobileMe -- announced earlier this month as the replacement for .Mac -- noted that the new service only supports OS X versions 10.4.11 (the last in that old series) or 10.5.4 and later. MobileMe is expected to be released July 11, which is why Mac users have been expecting 10.5.4 -- the newest system on which it depends -- to be released somewhat sooner.