Thursday, August 6, 2009

Security Update 2009-003 & Mac OS X 10.5.8 Update Released

Look Apple, I'm trying to enjoy the summer. So what's with the almost daily Apple software security updates? Enough already! - Actually, I'm not complaining. The faster the bug fixes for Leopard the better.

You can read about the 18 security patches in Security Update 2009-003 & 10.5.8 HERE. Several of the security patches are for Mac OS X 10.4.11 as well as 10.5.7. Therefore, if you're using Tiger, be sure to check for and install the update.

Primer on how-to-update:

1) Repair your boot volume's permissions via Disk Utility.

2) Verify your boot disk via Disk Utility. If you have disk problems, boot from another volume or your Mac OS X installation DVD/CD and perform the repair.

3) After both steps 1 & 2 are completed, install the update.

4) After the update and associated reboots have been completed, repair your boot volume's permissions again.

Note that are even more fanatical and suggest that all of the above be done after booting into Safe Mode. They also recommend NOT installing system updates via Software Update. Instead they recommend DIY downloading and installing of Apple's provided 'combo' updates.

I've been a member at MacFixIt for several years. If there is one consistent thing I've learned from hanging out over there, it's that those people who run into problems after installing updates most likely did NOT follow steps 1 - 4. Even Apple are known to leave behind messed up permissions after update installations. Making sure your boot volume is in good repair before any installation is obvious. Repairing permissions is of course not a panacea for fixing your Mac. But it never hurts, and it is very important before and after any major update. I will not entertain any arguments to the contrary. So there.

Techy stuff:

What's in Security Update 2009-003? No surprise: Lots of bad memory management repairs! Let's count them together:

I) bzip2 has been updated to version 1.0.5 to stop out-of-bounds memory access dangers.

II) Improved ColorSync profile validation to prevent the ramifications of a heap buffer overflow.

III) Improved bounds checking of Canon RAW images to prevent the ramifications of a stack buffer overflow.

IV) OpenEXR has been updated to version 1.6.1 to prevent the ramifications of a heap buffer overflow.

V) Improved memory initialization and validation of OpenEXR images to prevent the ramifications of an uninitiated memory access flaw.

VI) Improved bounds checking of OpenEXR images to prevent the ramifications of multiple integer overflow flaws.

VII) Improved bounds checking of EXIF metadata to prevent the ramifications of a buffer overflow in ImageIO.

VIII) Improved validation of PNG images in order to prevent the ramifications of an uninitialized pointer flaw.

IX) Improved handling of fcntl system calls in order to prevent system privileges escalation and arbitrary code execution caused by overwriting kernel memory.

X) Improved validation of AppleTalk response packets in order to prevent a buffer overflow flaw in the kernel.

XI) PCRE has been updated to version 7.6 in order to prevent the ramifications of a buffer overflow flaw in the PCRE library used by XQuery.

Of the 18 security patches, that's 11 memory management patches. This proves once again that memory management remains the primary bane of contemporary coding. This is one of my favorite rants, if you haven't previously noticed.

The remaining 7 patches repair certificate warnings, JavaScript handling, Multi-Touch access, inetd-based launchd services, format string handling by the Login Window, MobileMe credentials deletion, and file descriptor sharing.

OK. Attention Apple: It's August. Go on vacation please so I can have one too. Thank you. Over and out.


No comments:

Post a Comment