Apple releases Mac OS X 10.5.5, patches nearly 70 bugs

Computerworld - Apple Inc. today released Mac OS X 10.5.5 to patch at least 34 security vulnerabilities, about a third of them considered critical, and to fix another 34 reliability and stability bugs -- including several in the services that synchronize Macs with other Macs, iPhones and Palm PDAs.

The security portion of the update -- as is its practice, Apple bundled the two for Leopard users, but split out the vulnerability fixes for people running the older Tiger -- patched bugs in the operating system's font mechanism, Finder, image processor, kernel, log-in process, system configuration utility and Time Machine backup application.

Apple labeled nine of the 34 with its usual "arbitrary code execution" phrase. Unlike other OS makers, Apple doesn't rank the vulnerabilities it reports; the tag, however, puts those bugs into a category most would consider critical.

Among the most notable fixes were a pair that plugged a serious hole in Apple's implementation of the Domain Name System (DNS), the Internet's traffic cop. "This finally patches the Dan Kaminsky exploit," said Andrew Storms, director of security operations at security vendor nCircle Network Security Inc. "This was the piece that was missing on the client side."

In early July, Kaminsky, a security researcher, disclosed a critical flaw in the DNS that made it much easier than originally thought to "poison" the cache of DNS servers, or insert bogus information into the Internet's routing infrastructure. Unlike several other major operating system vendors, including Microsoft Corp. and Red Hat Inc., Apple did not issue a patch when Kaminsky went public on July 8.

In fact, when Apple got around to releasing a DNS fix on July 31, Storms and others confirmed that the update did not actually fix the flaw on Macs running the client edition of OS X.

Apple got it right this time, however. "I installed [10.5.5] and tested it, and yes, it does patch the DNS bug on the client," Storms said.

Apple also updated Mac OS X's implementation of BIND (Berkeley Internet Name Domain), the open-source DNS software maintained by the Internet Software Consortium (ISC), to keep it current with an early-August version that the ISC released to solve performance issues that had shipped in the original fix for Kaminsky's vulnerability.

Other patches were aimed at the server editions of Mac OS X, including nine that address vulnerabilities in ClamAV, the open-source antivirus scanner that's part of Leopard's and Tiger's server software.

The update also fixed at least 34 nonsecurity flaws in Mac OS X 10.5. According to the accompanying advisory, Apple fixed two bugs each in Address Book and Disk Utility, six in the iCal calendar application, seven in the Mail e-mail client, and four in Time Machine, the automatic backup program that debuted with 10.5 last October.