Apple Inc. today released Mac OS X 10.5.5 to patch at least 34 security vulnerabilities, about a third of them considered critical, and to fix another 34 reliability and stability bugs -- including several in the services that synchronize Macs with other Macs, iPhones and Palm PDAs.
The security portion of the update -- as is its practice, Apple bundled the two for Leopard users, but split out the vulnerability fixes for people running the older Tiger -- patched bugs in the OS's font mechanism, Finder, image processor, kernel, log-in process, system configuration utility and Time Machine backup application.
Apple labeled nine of the 34 with its usual "arbitrary code execution" phrase. Unlike other OS makers, Apple doesn't rank the vulnerabilities it reports; the tag, however, puts those bugs into a category most would consider "critical."
Among the most notable fixes were a pair that plugged a serious hole in Apple's implementation of the Domain Name System (DNS), the Internet's traffic cop. "This finally patches the Dan Kaminsky exploit," said Andrew Storms, director of security operations at security vendor nCircle Network Security Inc. "This was the piece that was missing on the client side."
In early July, Kaminsky, researcher, disclosed a critical flaw in DNS that made it much easier than originally thought to "poison" the cache of DNS servers, or insert bogus information into the Internet's routing infrastructure. Unlike several other major operating system vendors, including Microsoft Corp. and Red Hat Inc., Apple did not issue a patch when Kaminsky went public on July 8.
In fact, when Apple got around to releasing a DNS fix on July 31, Storms and others confirmed that the update did not actually fix the flaw on Macs running the client edition of OS X.
Apple got it right this time, however. "I installed [10.5.5] and tested it, and yes, it does patch the DNS bug on the client," Storms said.
Apple also updated Mac OS X's implementation of BIND (Berkeley Internet Name Domain), the open-source DNS software maintained by the Internet Software Consortium (ISC), to keep it current with an early-August version that ISC released to solve performance issues that had shipped in the original fix for Kaminsky's vulnerability.
Other patches were aimed at the server editions of Mac OS X, including nine that address vulnerabilities in ClamAV, the open-source anti-virus scanner that's part of Leopard's and Tiger's server software.
The update also fixed at least 34 non-security flaws in Mac OS X 10.5. According to the accompanying advisory, Apple fixed two bugs each in Address Book and Disk Utility, six in the iCal calendar application, seven in the Mail e-mail client, and four in Time Machine, the automatic backup program that debuted with 10.5 last October.
Two fixes targeted MobileMe, the Apple online synchronization and storage service that was so plagued by problems in July and August that CEO Steve Jobs shook up the company's table of organization because of them.
Other changes, said Apple, aimed to solve power-on problems, stability issues involving video playback and MacBook Air remote disc sharing, and iPhone and Palm sync bugs. The update also includes "extensive graphics enhancements," said the company.
Security Update 2008-006 can be downloaded manually from the Apple site, or installed using Mac OS X's integrated update service. Leopard users will see only the Mac OS X 10.5.5 upgrade on the latter, since the vulnerability fixes have been rolled into the update.