1970 Security Update 2009-004 can be downloaded and installed via Software Update preferences, or from Apple Downloads.

A logic issue in the handling of dynamic DNS update messages may cause an assertion to be triggered. By sending a maliciously crafted update message to the BIND DNS server, a remote attacker may be able to interrupt the BIND service. The issue affects servers which are masters for one or more zones, regardless of whether they accept updates. BIND is included with Mac OS X and Mac OS X Server but it is not enabled by default. This update addresses the issue by properly rejecting messages with a record of type 'ANY' where an assertion would previously have been raised

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Available for:
Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8

Impact: A remote attacker may be able to cause the DNS server to unexpectedly terminate

Fixed in this update:

• Alias Manager: Opening a maliciously crafted alias file may lead to an unexpected application termination or arbitrary code execution


• CarbonCore: Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution


• ClamAV: Multiple vulnerabilities in ClamAV 0.94.2


• ColorSync: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution


• CoreGraphics: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution


• CoreGraphics: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution


• CUPS: A remote attacker may be able to deny access to the Printer Sharing service : An uprivileged local user may be able to obtain system privileges


• Flash Player plug-in: Multiple vulnerabilities in Adobe Flash Player plug-in


• ImageIO: Viewing a maliciously crafted PixarFilm encoded TIFF image may lead to an unexpected application termination or arbitrary code execution


• Launch Services: Attempting to open unsafe downloaded content may not lead to a warning : Visiting a malicious website may lead to arbitrary code execution


• MySQL: MySQL is updated to version 5.0.82


• PHP: Multiple vulnerabilities in PHP 5.2.8


• SMB: Enabling Windows File Sharing may share folders unexpectedly


• Wiki Server: A remote attacker may gain access to Wiki Server user accounts

For more information, visit:
http://support.apple.com/kb/HT3776

Dwnloads:
http://support.apple.com/downloads/

Alternate download links for specific versions of standalone installer (MacUpdate):
http://www.macupdate.com/info.php/id/8282/apple-security-update

Mac OS X 10.4.11 or Mac OS X 10.5.8.
Mac OS X 10.4 (Intel)
Mac OS X 10.4 (PowerPC)
Mac OS X 10.4 Server (Intel)
Mac OS X 10.4 Server (PowerPC)
Mac OS X 10.5 Server

Tags: Software Updates ï Apple ï Software News ï

Login † or † Register † †