Apple issued a large patch yesterday for its Leopard operating system. While the iCal calendar exploit got a good bit of press back when it was discovered in January, most of the over forty bugs and vulnerabilities addressed in the patch haven't really been front page news, although many of them seem fairly serious. The days of "security by obscurity" for Apple users are gone now as Apple gains market share, so if you're running Leopard make sure your computer is patched and up to date.
While Security Update 2008-003 targets, Mac OS X v 10.4.11 and Mac Os X Server v 10.4.11, it also incorporates repairs for Mac OS X v 10,5.3, which was also released Wednesday.
Unlike other software companies, Apple doesn't have a fixed rating system that designates vulnerabilities as "critical," however numerous patches in Security Update 2008-003 address errors that could allow a remote attacker to execute malicious code on an affected system.
Altogether, this patch release fixes holes in Apache, AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Flash Player Plug-in, Help Viewer, iCal, International Component for Unicode, Image Capture, ImageIO, Kernel, Mail, ruby, Single Sign-On and Wiki Server.
It's a long list of potential problems being addressed, but the most interesting one might be a patch of the handling of embedded fonts on PDF files. The flaw might allow a remote attacker to take control of an entire system if a PDF containing a spoofed font was printed. Consider how clever that is. Is there anyone that clever working for the good guys?