It’s time yet again for everyone to update Apple OS X to the latest version OS X 10.6.3. If you go to the previous link you can see an entire list of all of the fixes. Most of the applications are ones that I never use while others relate only to Mac OS X Server. With that said, the most important features of the update to me relate to recent security vulnerabilities discovered due to Tipping Point’s Zero Day Initiative:

“Apple’s Safari browser got hacked on both Snow Leopard and the iPhone during the first day of the annual Pwn2Own contest, where security specialists can win the hardware they successfully attack. As CNet reports, security analyst Charlie Miller won $10,000 after remotely exploiting Safari on a MacBook Pro.”

It’s not for certain if 10.6.3’s patches related to those hacks were already in the works of being fixed, or if they were only brought to light from the contest. All security fixes can be found on this Apple Support KB article. Credits to different sources were given on the article and while many did point to participants of Pwn2Own, Charlie Miller is not mentioned. The important Safari fix is pointed out here:

ImageIO
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website
Description: An uninitialized memory access issue exists in ImageIO’s handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory initialization and additional validation of TIFF images. Credit to Matthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.

Some fixes were for X11, which you may have read about in our How to Install Putty on OS X article.

X11
Impact: Viewing a maliciously crafted image may lead to the disclosure of sensitive information
Description: libpng is updated to version 1.2.37 to address an issue that may result in the disclosure of sensitive information. Further information is available via the libpng site at http://www.libpng.org/pub/png/libpng.html

X11
Impact: Displaying maliciously crafted data within an xterm terminal may lead to arbitrary code execution
Description: The xterm program supports a command sequence to change the window title, and to print the window title to the terminal. The information returned is provided to the terminal as though it were keyboard input from the user. Within an xterm terminal, displaying maliciously crafted data containing such sequences may result in command injection. The issue is addressed by disabling the affected command sequence.

Other most notable security fixes for the update:

AFP Server
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: When guest access is disabled, a remote user may be able to mount AFP shares as a guest
Description: An access control issue in AFP Server may allow a remote user to mount AFP shares as a guest, even if guest access is disabled. This issue is addressed through improved access control checks. Credit: Apple.

Apache
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to bypass access control restrictions
Description: An input validation issue exists in Apache’s handling of proxied FTP requests. A remote attacker with the ability to issue requests through the proxy may be able to bypass access control restrictions specified in the Apache configuration. This issue is addressed by updating Apache to version 2.2.14.