About the security content of the Mac OS X 10.5.1 Update (client and server)

This document describes the security content of the Mac OS X 10.5.1 Update (both client and server), which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key".

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out more about other Security Updates, see "Apple Security Updates".

Mac OS X v10.5.1 Update

Application Firewall

CVE-ID: CVE-2007-4702

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: The "Block all incoming connections" setting for the firewall is misleading.

Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services", and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour) and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall

CVE-ID: CVE-2007-4703

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications".

Description: The "Set access for specific services and applications" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections". This could result in the unexpected exposure of network services. This update corrects the issue so that any executable so marked is blocked. This issue does not affect systems prior to Mac OS X v10.5.

Application Firewall

CVE-ID: CVE-2007-4704

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: Changes to Application Firewall settings do not affect processes started by launchd until they have been restarted.

Description: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it has been restarted. A user may expect changes to take effect immediately and so leave their system exposed to network access. This update corrects the issue so that changes take effect immediately. This issue does not affect systems prior to Mac OS X v10.5.

Published Date: