Apple Issues 11 Software Patches
All the patch identifiers begin with CVE-ID and CAN-2005 and can be downloaded from the Apple Web site. Two patches, 1721 and 1722, deal with the Apple Filing Protocol and fix a buffer overflow flaw that could allow unauthorized software to gain access and run.
The flaw affects only a small number of Apple customers, says one analyst. "These patches are for old Mac clients using AppleTalk networking," says Andy Jaquith, an analyst with the Yankee Group research firm. "It would have to be an all Apple shop for it to matter, but [other users] most have switched over to Samba Windows file sharing."
Other patch fix problems that would permit unauthorized access to a computer via wireless Bluetooth technology, corrupt or erase PDF documents, and improperly give a local user root access if a system is configured as a VPN server. These problems are relatively minor and affect a small number of users, Jaquith says.
One issue may be more significant. Four of the patches deal with PHP, a scripting language used to develop dynamic Web pages, which is part of the Mac operating system. They fix problems that could lead to a distributed denial-of-service attack or permit unauthorized code to run on the computer. "This could allow a remote attacker to take over any OS 10 machine," says Jaquith. "But I haven't heard about any exploits playing off these vulnerabilities."
Jaquith notes that Apple is usually reluctant to go public with security problems and software flaws, which he says "could be a good thing. Apple doesn't give out much information to attackers."