By Slash Lane
Published: 04:00 PM EST (01:00 PM PST)
Apple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks.
For Mac OS X 10.4.9
A version of the software update for systems running Mac OS X 10.4.9 -- labeled
Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.
The patch is available as a
16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a
9.3MB download for those machines running the PowerPC version of the OS.
For Mac OS X 10.3.9
Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.
Users of 10.3.9 can download a
37.6MB updater for the client version of the software or a
54.1MB updater for its server counterpart.
The culprits
For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.
The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."
