Apple patches 11 security holes

Vulnerabilities affect OS X Panther 10.3 and OS X Tiger 10.4

Apple has released a security update that fixes 11 vulnerabilities in the OS X operating system. The patched vulnerabilities include holes in both OS X Panther 10.3 and OS X Tiger 10.4.

While most of the repairs target arbitrary vulnerabilities, such as a way to circumvent a check for unsafe file formats by changing a file name, others represent more serious holes that could allow buffer overflow attacks or give hackers root access.

One of the vulnerabilities allowed devices using a Bluetooth connection to access files outside the default file exchange directory, Apple said on its website. 

Another hole affecting both versions of the operating system was caused by multiple flaws in the PHP scripting language. The vulnerabilities could allow for remote denial of service attacks and the execution of arbitrary code.

The update also plugs some holes unique to OS X 10.4, including a vulnerability in the AFP server that was susceptible to a buffer overflow attack after which arbitrary code could be executed. The AFP server allows Windows computers to access files on a Mac through a network.

Another OS X 10.4 hole in CoreGraphics allowed console users to gain root access that could allow unprivileged users to launch commands.

Lastly, the patch fixes an error that gives users root access if a computer is used as a virtual private network server. The flaw could be exploited remotely through the internet. The same hole affected OS X 10.3.9, but was fixed last May.

Separate patches for OS X 10.3.9 and OS X 10.4.1 are available for download through the Apple Software Update service or online here.