Dive into OS X

Apple recently released the fifth security fix for its Mac OSX software this year. The release patched 17 vulnerabilities, less than last month (25 fixes) and the month before (45 fixes). Fewer than one-third (5) of them allowed remote access to the computer and could lead to hackers injecting their own code into a compromised system.

Among the serious bugs is one in how Mac OS X 10.4 handles PDF files. “By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution,” Apple’s advisory said. Attacks sporting this strategy, although rare on Macs, are common threats faced by Windows users, who have had to learn — sometimes unsuccessfully — to be wary of unexpected file attachments.

Another dangerous flaw fixed Thursday exists in the code that maps ports on home networks in iChat, Apple’s instant messaging service and software. An attacker need only send a malformed packet to trigger a buffer overflow, which could then be used to add malicious code to the Mac. The hacker, however, must have access to the local network to exploit the bug.

Other parts of Mac OS X that were patched Thursday include BIND (Berkeley Internet Name Domain), the de facto standard Domain Name System server software, which was patched against four vulnerabilities; the Ruby CGI library (two vulnerabilities); and Fetchmail (one vulnerability).

Thursday’s update pushed Apple’s year-to-date patch total to over 100.

The security update can be downloaded from the Apple site or using Mac OS X’s built-in update service.