Leopard 10.5.2 Update Contains Security Fixes

Apple has release a major update to Mac OS X 10.5, Leopard, incrementing the OS’s version to 10.5.2. This very large update (180 MB), fixes dozens of elements in Leopard, but also plugs eleven security holes, dealing with Mail, Directory Services, Terminal, X11, Parental Controls and more. As always with security updates, you should install this update as soon as you can from the Software Update preference pane. (A Tiger version of the security update is also available today. See here for more information and download links.)

But this being a major system update, you should take precautions. We recommend that you make a bootable backup with Personal Backup X5 before running the update, in case anything goes wrong during the update procedure. When you create a bootable backup like this, you can restart your Mac immediately from the external drive you use for the backup, should any problems arise. During major system updates, problems with power, or simply glitches in the updater, can cause the update to fail, and possible render your Mac unstartable. With a bootable backup available, you can get back to work right away if such a problem arises.

New in X5: Send Spam to Intego

No, I’m not suggesting you spam Intego, but rather that you send us the spam that you receive, that slips by Personal Antispam X5’s spam filter, so we can improve its spam-catching abilities. Current tests show that Personal Antispam X5 catches more than 99% of all spam, but that last 1% is always a struggle, since spammers are constantly coming up with new techniques to evade spam filters. Every week, new forms of spam arise, and here at Intego, we keep up with this by issuing regular updates to Personal Antispam X5’s spam filters. (You can get these updates via NetUpdate, Intego’s update engine; spam filters are updated several times a month.)

In Personal Antispam X5, we have added a feature so you can forward your spam to Intego, allowing us to analyze it and add its characteristics to the program’s filters. To do this, select one or several messages, then choose Submit Spam Sample to Intego from the Personal Antispam menu in Mail or Entourage. This will copy the information from the message(s) to a new message, and send it to a special e-mail address Intego uses to collect new spam.

Our developers will analyze the message, and future updates to the program’s spam filters will take this type of spam into account. The more messages you forward like this, the more efficient we can make Personal Antispam X5. So don’t hesitate: send us your spam!

Critical Update for Firefox

If you use Firefox as your web browser, it’s time to grab an update. The Mozilla Foundation has released a new version of the program containing ten fixes, three of them security patches for critical flaws. One of the flaws allowed remote users to swipe browser history, another the way the browser processes images on web pages, and the third was a remote code execution. There is also a fix for the way Firefox handles add-ons, which may have security ramifications.

Get the latest version of Firefox (2.0.0.12) here.

Apple Issues Critical QuickTime Update

Apple has just released QuickTime 7.4.1, an update to its media software, that includes a critical security fix. They describe the problem and fix as follows:

“Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickTime’s handling of HTTP responses when RTSP tunneling is enabled. By enticing a user to visit a maliciously crafted webpage, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.”

This problem is similar to the QuickTime streaming flaw that we wrote about last November, which was patched in mid-December. This recent update is for Mac OS X 10.3, 10.4 and 10.5.

Apple has been having repeated problems with QuickTime flaws, and this one is important to fix. There are exploits in the wild, with sample code for wannabe hackers to try their luck. Get this update now from Software Update, or from the link at the beginning of this article.

Acrobat Reader Security Update - Shh! It’s a Secret

When most vendors release security updates to their software, they tell users what is being fixed. Not Adobe; they’ve just released a security update for Acrobat Reader, version 8.1.2, and they say it “addresses a number of customer workflow issues and security vulnerabilities”, without giving any more information. This is a no-no in the security world, since administrators need to know what’s being fixed. In any case, if you use Acrobat Reader, get the latest update so you can be safe from . . . well, I don’t know what.

You Need Security Updates for iPhoto Too!

You probably wouldn’t think that iPhoto could have security holes, but today’s update from Apple shows this is indeed the case. iPhoto, which you may think is just a tool for managing your digital pictures, uses the Internet when you create or subscribe to photocasts. It turns out that “A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously-crafted photocast, a remote attacker may cause arbitrary code execution.”

For that reason, you should run Software Update and patch your version of iPhoto (this only applies to iPhoto 7), even if you don’t use photocasts now; you may do so in the future, and you may be “enticed” to subscribe to a “maliciously-crafted photocast”. Don’t say we didn’t warn you!