Apple Releases 10.4.9 With Many Security Fixes
On this patch tuesday, Microsoft has decided to hold off with patches so that there aren't any unexpected interaction with the recent US daylight savings time changes which went into effect last Sunday. However Apple seems to have stepped up to bat with a new minor revision of it's OS, which comes along with about 45 security fixes (about an even mix between 3rd party issues in things like GNU tar, OpenSSH, MySQL, etc and Apple software). Below are the issues most relevant to client-side security.
CVE-2007-0719 - Opening an image with a specially crafted ColorSync profile could lead to DoS/arbitrary code execution due to a buffer overflow. I believe this can be exploited in something like Safari because it has ColorSync support. Googling around suggests that Safari will assume a default ColorSync profile for most images, unless one is explicitly provided. Therefore it seems like this would be a normal "look at image, get exploited" sort of problem.
CVE-2007-0102 - While Apple doesn't list this CVE with the advisory, it references the Month of Apple Bugs #6 as being the source, so I think this is the correct issue. Apple's PDF support is actually part of the CoreGraphics library, which is why basically all applications on Mac OS X can save things to PDF format (though the somewhat awkward requirement of having to go through the print menu first). This problem was actually a problem in the PDF spec and as you would see if you check the MOAB link, it's effects were very widespread.
CVE-2006-5330 - This is updating the included Flash player to 9.0.28.0 to deal with that CVE.
CVE-2007-1071 - There are actually two vulnerabilities in ImageIO, the first for GIFs and the second for RAWs. However, I hadn't checked this in the past, but I just tested that .RAW files are not actually displayed inline in Safari, therefore they more fall under the multitude of file types that the user would have to open manually to be exploited, and therefore I consider it out of scope for now. The GIF one was found by Tom Ferris over at security-protocols.com and so we actually know on this one that Apple was notified 9/8/06. More ammo for those who would cite Apple's relatively slow patch time. To see some of the other past multitude of imaging vulnerabilities, see this link.
There are also 2 QuickDraw errors related to PICTs. However, like RAW, I hadn't checked in the past to see if that image type was displayed inline in Safari or Firefox on Mac. It turns out it isn't, and is therefore again slightly out of scope. At some point in the future we will begin caring about filetypes like MS office documents which require manual execution, however, for now we are focused on exploit which automatically compromise client applications. I just mention this again because there is no clear line for what is in scope when hunting client-side exploits, and different people and projects define their scope slightly differently.
