or Connect
AppleInsider › Forums › Software › Mac OS X › Apple releases Mac OS X security update to patch PDF exploit
New Posts  All Forums:Forum Nav:

Apple releases Mac OS X security update to patch PDF exploit

post #1 of 20
Thread Starter 
Apple released a Mac OS X security update Tuesday that fixes a critical PDF vulnerability.

The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.

It is unclear whether this fix is related to the PDF exploit on iOS 4 that allowed hackers to jailbreak the iPhone. Apple released an update on August 11 that addressed the iOS PDF exploit.

Security Update 2010-005 also patches a "stack buffer overflow" that would allow arbitrary code execution through a malicious embedded font. Both the PDF and the font vulnerabilities are fixed through "improved bounds checking."

Also included in the update are several routine fixes to network security flaws.

The update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , and Mac OS X 10.6.4.
post #2 of 20
Updating now. Wonder if this affects Chrome's built in PDF viewer.

Update: weighs 84 megs, requires a restart.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #3 of 20
So now I won't be able to jailbreak my iMac!?
I've accomplished my childhood's dream: My job consists mainly of playing with toys all day long.
Reply
I've accomplished my childhood's dream: My job consists mainly of playing with toys all day long.
Reply
post #4 of 20
Quote:
Originally Posted by sheff View Post

Updating now. Wonder if this affects Chrome's built in PDF viewer.

Update: weighs 84 megs, requires a restart.

84mb for a little patch? Wow...\
post #5 of 20
Quote:
Originally Posted by SHOBIZ View Post

84mb for a little patch? Wow...\

Yep, but, 3 minute download for me. I'd be complaining if I was still on dial-up!
post #6 of 20
Quote:
Originally Posted by PaulMJohnson View Post

Yep, but, 3 minute download for me. I'd be complaining if I was still on dial-up!

Ya'll are never curious about what is in a 84mb file?
post #7 of 20
Quote:
Originally Posted by SHOBIZ View Post

Ya'll are never curious about what is in a 84mb file?

Not really. I bought a Mac on the "it just works" idea.

I don't want to have to be curious about my computer, I just want it to work. Plus, I feel if there was something to worry about, the good people of the AppleInsider forums would warn me - some of them very loudly!
post #8 of 20
Quote:
Originally Posted by SHOBIZ View Post

Ya'll are never curious about what is in a 84mb file?

I believe there were a couple of other general fixes / maintenance in there as well. Just PDF was the main reason for pushing out the patch.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #9 of 20
Quote:
Originally Posted by PaulMJohnson View Post

Not really. I bought a Mac on the "it just works" idea.

I don't want to have to be curious about my computer, I just want it to work. Plus, I feel if there was something to worry about, the good people of the AppleInsider forums would warn me - some of them very loudly!

If you just want it to work why even worry enough to look here?
post #10 of 20
Quote:
Originally Posted by AppleInsider View Post

The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.

It continues to confound and astonish me that with the incredible amount of processing power at our disposal, software vendors routinely omit bounds checking code. Why is it that we have all manner of fancy visual effects which may require huge amounts of processing power but are no more than eye candy, but not bounds checking to make code secure?
post #11 of 20
Obligatory "It's snappier !11!!"
post #12 of 20
Good deal. It was only a matter of time that they'd fix it.
post #13 of 20
Quote:
Originally Posted by nvidia2008 View Post

Obligatory "It's snappier !11!!"

Big time! I did a render last night and it took 1204 seconds, and after the patch it's only taking 258 seconds. No, really!

Or... it could be because I switched from a 2006 4-core Mac Pro to a new 12-core today, but I'm pretty sure the patch was involved too.
post #14 of 20
Quote:
Originally Posted by mrstep View Post

Big time! I did a render last night and it took 1204 seconds, and after the patch it's only taking 258 seconds. No, really!

Or... it could be because I switched from a 2006 4-core Mac Pro to a new 12-core today, but I'm pretty sure the patch was involved too.

Yay
post #15 of 20
April 2010:
Quote:
We know from painful experience that letting a third party layer of software come between the platform and the developer ultimately results in sub-standard apps and hinders the enhancement and progress of the platform. If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if and when the third party chooses to adopt the new features. We cannot be at the mercy of a third party deciding if and when they will make our enhancements available to our developers.

http://www.apple.com/hotnews/thoughts-on-flash/


August 19:
Quote:
Adobe to release emergency patch today

Adobe has announced that it is releasing an emergency out-of-cycle patch later today to resolve a range of security vulnerabilities in its Reader and Acrobat PDF packages.

http://www.bit-tech.net/news/bits/20...-patch-today/1


August 25:
Quote:
Apple released a Mac OS X security update Tuesday that fixes a critical PDF vulnerability.

The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.

http://www.appleinsider.com/articles...f_exploit.html
post #16 of 20

You are comparing Apples and Oranges. PDF is a published standard. Adobe's reader (aka bug infested bloatware ) is just one implementation of a viewer. Apple's PDF implementation has no dependency on Adobe. You are correct when it comes to Flash.
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
post #17 of 20
Quote:
Originally Posted by talksense101 View Post

You are comparing Apples and Oranges. PDF is a published standard. Adobe's reader (aka bug infested bloatware ) is just one implementation of a viewer. Apple's PDF implementation has no dependency on Adobe. You are correct when it comes to Flash.

Cogent observations aside, this gray-haired retired Unix programmer glazes eyes over
yet once again regarding "stack buffer overflow" smash-and-grab errors. By now you'd
think the industrial world has adopted tricknology developed over a decade ago
to snuff this stuff out. Maybe someone has a patent on how-to-forever-prevent
"stack smashing"-at-compile-time, but I doubt it. What hath BSD Unix wrought?
post #18 of 20
I installed this patch on my late '09 Mac Mini and mid-'10 MacBook Pro. Everything went fine with the Mac Mini, but on the MacBook Pro the restart "hung" while the screen was solid blue and the gear was still spinning. This has happened before with the laptop and Apple security updates.
The previous time I called AppleCare but the technician just guided me through the forced restart process.
post #19 of 20
The list of OSes which are affected or potentially-affected by the previous .PDF exploit is available at http://www.kb.cert.org/vuls/id/275247. OS X seems not to have been affected by that exploit, and I expect this patch is for some other vulnerability. It’s interesting to note that the list spans a wide range of _nix and embedded OSes which use the FreeType 2 libraries, but the vulnerability is not universal.
post #20 of 20
I have tried to install this update 3 different times now. Each time it gets to the optimizing system part and then comes back with a message saying it could not be installed. Do I need to be concerned, or can I just skip this update?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple releases Mac OS X security update to patch PDF exploit