Wednesday, May 28, 2008

Mac OS X 10.5.3 IS HERE! So is Security Update 003 with 27 Security Patches! And, And, And...

At last, at last!
10.5.3 is HERE AT LAST!

I gave up counting bugs in 10.5.2 when I hit #35. I am crossing my fingers they are all stamped out with this ENORMOUS update. If you use Software Update from within Leopard, the client version of Mac OS X 10.5.3 Update is 420 MB! The server version is 496 MB! If you want the Combo versions, the client version is 536 MB! The Combo server version is 632 MB!

But just as eye-opening are the 27+ security patches (Twenty Seven +!) included in Security Update 2008-003. The PPC client version is 72 MB (Seventy Two!). The Intel client version is 111 MB (One Hundred And Eleven!). The PPC server version is 88.9 MB (Eighty Eight Point Nine Megabytes!). The Universal Binary server version is 118 MB (One Hundred And Eighteen!).

And I'm not finished yet! Pay attention!

Also new is the Digital Camera RAW Compatibility Update 2.1 at 2.4 MB.

AND the Logic Express Update version 8.0.2 at 73.5 MB.

AND Server Admin Tools 10.5.3 at 64.5 MB.

IOW: Get ready for a snoozer of a download marathon.

Now for the boring but useful part. Here are all the URLs where you can read about and download the update disk images, followed by a list of security patches. I dare you to read them all! Will you survive?

Mac OS X 10.5.3 Update
Mac OS X Server 10.5.3 Update

Mac OS X 10.5.3 Combo Update
Mac OS X Server 10.5.3 Combo Update

Security Update 2008-003 (PPC)
Security Update 2008-003 (Intel)

Security Update 2008-003 Server (PPC)
Security Update 2008-003 Server (Universal)

Server Admin Tools 10.5.3

Digital Camera RAW Compatibility Update 2.1

Logic Express Update 8.0.2

Here is a summary of the new Mac OS X security updates, published in the Secunia Weekly Summary - Issue: 2008-22, which you can read at the most excellent Secunia website.


Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

The vulnerabilities include:

- An error in AFP server

- Various vulnerabilities in Apache (for Mac OS X Server v10.4.x)

- An unspecified error in AppKit

- Multiple unspecified errors in the processing of Pixlet video files

- An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files

- An error in Safari's SSL client certificate handling

- An integer overflow exists in CoreFoundation when handling CFData objects

- An error due to an uninitialised variable in CoreGraphics

- A weakness due to users not being warned before opening certain potentially unsafe content types

- An error when printing to password-protected printers with debug logging enabled

- Various vulnerabilities in Adobe Flash Player

- An integer underflow error in Help Viewer when handling help:topic URLs

- A conversion error exists in ICU when handling certain character encodings

- Unspecified parameters in Image Capture's embedded web server not being properly sanitised before use

- An error in the handling of temporary files in Image Capture

- A boundary error in the BMP and GIF image decoding engine in ImageIO

- Various vulnerabilities in ImageIO due to the use of vulnerable libpng code

- An integer overflow error in ImageIO within the processing of JPEG2000 images

- An error in Mail is caused due to an uninitialised variable

- A vulnerability in Mongrel

- A weakness in the sso_util command-line tool

- An error in Wiki Server

- A vulnerability in Apple iCal

- A vulnerability due to an error in the handling of return values of "hashes()" in the "cs_validate_page()" function when processing signed Mach-O binaries

- A vulnerability due to an error within the "ipcomp6_input()" function in bsd/netinet6/ipcomp_input.c when processing packets with an IPComp header

And that's not the complete list!

In other Mac OS X security news, there remains only 1 (ONE) bona fide malware in the wild, the so-called 'Porno Trojan'. (BWAHAHAHA! I love that name). News has it that it has mutated, thanks to scurrilous Phishing scam entrepreneurs, into other manifestations at other websites. So be wary of all unverified, untrusted downloads, particularly those pretending to be 'video codecs' you are supposed to need to install to view a web video. If you think you are a victim you can obtain the FREE removal tool at the generous MacScan website:

DNSChanger Removal Tool

Remember that Microsoft Office macro viruses still abound. Please take precautions, such as using a safer office suite of applications. May I suggest NeoOffice, the freeware Open Source office suite that created the now international standard Open Doc format. Or alternatively consider Apple's elegant iWork suite including Pages, Keynote and Numbers.

You can read my evaluation of Leopard update 10.5.3 over at my other Macintosh blog, MacSmarticles.

Share and EnJoY!