Patches rain down on OS X

Apple has released a set of patches that fix 44 security flaws in its OS X operating system for servers and desktop computers.

While the patch is one of the larger ones in terms of the number of security holes it plugs, its size is relatively small. The download files vary in size from 13.3Mb to 26.9Mb, depending on the version of the operating that the user is running.

Several of the fixes in the package protect users against buffer overflow attacks or prevent them from bypassing security features, causing security website Secunia to rate the patch as "highly critical", its second highest security rating on a five step scale.

The AppKit received three patches, two of which could lead to a buffer overflow attack. The AppKit is a part of the operating system that helps third party developers to build their applications. It includes application programming interfaces and objects for the graphical user interface.

One hole in the service could allow a hacker to cause a buffer overflow by crafting a special rich text format (.rtf) file. Another one posed a similar risk with a specially crafted Microsoft Word .doc file, but it only affects applications that use the AppKit. Microsoft Word is not vulnerable.

A third flaw in the AppKit would allow a malicious user with physical access to the system to create additional user accounts.

The Safari browser received a fix that could expose the user to arbitrary code execution by just clicking on a link. The software under certain conditions allowed websites to bypass its security checks. Another flaw in the browser prevents a potential problem with submitting information in forms.

The server version of the software got three patches of its Directory Services which is used to authenticate users. One of the holes in the software allowed for a buffer overflow attack, another would allow users without admin rights to create and delete accounts.

Several fixes in the patch make repairs to third party applications, such as the Apache 2 open source webserver that ships with the server version of OS X.

The patch fixes two widely publicised flaws in the Kerberos authentication and Zlib compression technologies. The two open source projects are used in a range of operating systems, from Linux to Windows and OS X.

While the patch packet fixes several critical security holes that could cause serious security issues, other patches could be considered general updates to the operating system.

One patch tackles an issue with the CUPS printing service that will freeze if it has to handle multiple simultaneous print jobs, or when it receives an incomplete print request. Users were forced to restart the service to resume printing.

Separate patches for OS X 10.4.2 and OS X 10.3.9 are available for download from Apple's website or through the Software update feature in the operating system.