Apple has released a security update for Mac OS X 10.5 Leopard and 10.6 Snow Leopard users. This is not unheard of by any stretch of the imagination, but it is a bit odd to release a security update for the latest version of OS X that is not also rolled into a point release of the OS.
There are 12 vulnerabilities addressed that affect seven different areas of the Mac OS X software. These areas are ‘Apple Type Services,’ ‘CFNetwork,’ ‘ClamAV,’ ‘CoreGraphics,’ ‘libsecurity,’ ‘PHP,’ and ‘SAMBA.’
Of these 12 vulnerabilities, four affect Mac OS X 10.5.8 client users, five affect Mac OS X 10.5.8 server users, seven affect Mac OS X 10.6.4 client users, and all of the vulnerabilities affect Mac OS X 10.6.4 server users.
One notable flaw that is fixed is the vulnerability with Apple Type Services, which may lead to a buffer overflow when using embedded fonts. This is similar to the iOS fixes for the ‘jailbreakme.com’ hack.
A second notable flaw is fixed by updating PHP to 5.3.2 on Mac OS X 10.6.4 client and 10.6.4 server, which removes multiple vulnerabilities in PHP 5.3.1,. This is good for those who are using MediaWiki, as there is an issue with PHP version 5.3.1 and the latest MediaWiki update that this security update fixes.
This update is only available for Mac OS X 10.6.4 and Mac OS X 10.5.8 users. If you’re using a version other than this, you will need to update to the latest version to obtain the security update.
Updates are available from the Mac OS X Software Update Utility or by following one of these links:
Mac OS X 10.5.8 Client update is 211.88MB.
Mac OS X 10.5.8 Server update is 418.92MB.
Mac OS X 10.6.4 Client update is only 80.63MB.
Mac OS X 10.6.4 Server update is 136.86MB.
All previous updates have been included, hence the discrepancy in the file sizes. It is a good idea to download the update, but it will require a reboot, so head off and start your downloads now.