Apple releases Mac OS X security update to patch PDF exploit
Apple released a Mac OS X security update Tuesday that fixes a critical PDF vulnerability.
The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.
It is unclear whether this fix is related to the PDF exploit on iOS 4 that allowed hackers to jailbreak the iPhone. Apple released an update on August 11 that addressed the iOS PDF exploit.
Security Update 2010-005 also patches a "stack buffer overflow" that would allow arbitrary code execution through a malicious embedded font. Both the PDF and the font vulnerabilities are fixed through "improved bounds checking."
Also included in the update are several routine fixes to network security flaws.
The update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , and Mac OS X 10.6.4.
The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.
It is unclear whether this fix is related to the PDF exploit on iOS 4 that allowed hackers to jailbreak the iPhone. Apple released an update on August 11 that addressed the iOS PDF exploit.
Security Update 2010-005 also patches a "stack buffer overflow" that would allow arbitrary code execution through a malicious embedded font. Both the PDF and the font vulnerabilities are fixed through "improved bounds checking."
Also included in the update are several routine fixes to network security flaws.
The update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , and Mac OS X 10.6.4.
Comments
Update: weighs 84 megs, requires a restart.
Updating now. Wonder if this affects Chrome's built in PDF viewer.
Update: weighs 84 megs, requires a restart.
84mb for a little patch? Wow...
84mb for a little patch? Wow...
Yep, but, 3 minute download for me. I'd be complaining if I was still on dial-up!
Yep, but, 3 minute download for me. I'd be complaining if I was still on dial-up!
Ya'll are never curious about what is in a 84mb file?
Ya'll are never curious about what is in a 84mb file?
Not really. I bought a Mac on the "it just works" idea.
I don't want to have to be curious about my computer, I just want it to work. Plus, I feel if there was something to worry about, the good people of the AppleInsider forums would warn me - some of them very loudly!
Ya'll are never curious about what is in a 84mb file?
I believe there were a couple of other general fixes / maintenance in there as well. Just PDF was the main reason for pushing out the patch.
Not really. I bought a Mac on the "it just works" idea.
I don't want to have to be curious about my computer, I just want it to work. Plus, I feel if there was something to worry about, the good people of the AppleInsider forums would warn me - some of them very loudly!
If you just want it to work why even worry enough to look here?
The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.
It continues to confound and astonish me that with the incredible amount of processing power at our disposal, software vendors routinely omit bounds checking code. Why is it that we have all manner of fancy visual effects which may require huge amounts of processing power but are no more than eye candy, but not bounds checking to make code secure?
Obligatory "It's snappier !11!!"
Big time! I did a render last night and it took 1204 seconds, and after the patch it's only taking 258 seconds. No, really!
Or... it could be because I switched from a 2006 4-core Mac Pro to a new 12-core today, but I'm pretty sure the patch was involved too.
Big time! I did a render last night and it took 1204 seconds, and after the patch it's only taking 258 seconds. No, really!
Or... it could be because I switched from a 2006 4-core Mac Pro to a new 12-core today, but I'm pretty sure the patch was involved too.
We know from painful experience that letting a third party layer of software come between the platform and the developer ultimately results in sub-standard apps and hinders the enhancement and progress of the platform. If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if and when the third party chooses to adopt the new features. We cannot be at the mercy of a third party deciding if and when they will make our enhancements available to our developers.
http://www.apple.com/hotnews/thoughts-on-flash/
August 19:
Adobe to release emergency patch today
Adobe has announced that it is releasing an emergency out-of-cycle patch later today to resolve a range of security vulnerabilities in its Reader and Acrobat PDF packages.
http://www.bit-tech.net/news/bits/20...-patch-today/1
August 25:
Apple released a Mac OS X security update Tuesday that fixes a critical PDF vulnerability.
The update, labeled Security Update 2010-005, addresses a "heap buffer overflow" in the way CoreGraphics handles PDF files. The vulnerability could allow "unexpected application termination or arbitrary code execution" through a malicious PDF file.
http://www.appleinsider.com/articles...f_exploit.html
April 2010:
http://www.apple.com/hotnews/thoughts-on-flash/
August 19:
http://www.bit-tech.net/news/bits/20...-patch-today/1
August 25:
http://www.appleinsider.com/articles...f_exploit.html
You are comparing Apples and Oranges. PDF is a published standard. Adobe's reader (aka bug infested bloatware ) is just one implementation of a viewer. Apple's PDF implementation has no dependency on Adobe. You are correct when it comes to Flash.
You are comparing Apples and Oranges. PDF is a published standard. Adobe's reader (aka bug infested bloatware ) is just one implementation of a viewer. Apple's PDF implementation has no dependency on Adobe. You are correct when it comes to Flash.
Cogent observations aside, this gray-haired retired Unix programmer glazes eyes over
yet once again regarding "stack buffer overflow" smash-and-grab errors. By now you'd
think the industrial world has adopted tricknology developed over a decade ago
to snuff this stuff out. Maybe someone has a patent on how-to-forever-prevent
"stack smashing"-at-compile-time, but I doubt it. What hath BSD Unix wrought?
The previous time I called AppleCare but the technician just guided me through the forced restart process.