Detailed changes:
AppKit - Characters entered into a secure text field can be read by other applications in the same window session
Under certain circumstances when switching between text input fields, NSSecureTextField may fail to re-enable secure event input. This may allow other applications in the same window session to see some input characters and keyboard events. This update addresses the issue by ensuring secure event input is properly enabled. This issue does not affect systems prior to Mac OS X v10.4.
AppKit, ImageIO - Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
The handling of malformed GIF or TIFF image may lead to arbitrary code execution when parsing a maliciously-crafted image. This affects applications that use the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3 Panther) framework to read images. This update addresses the issue by performing additional validation of GIF and TIFF images.
BOM - Expanding an archive may lead to arbitrary code execution
By carefully crafting an archive (such as a Zip archive) containing long path names, an attacker may be able to trigger a heap buffer overflow in BOM. This may result in arbitrary code execution. BOM is used to handle archives in Finder and other applications. This update adresses the issue by properly handling the boundary conditions.
BOM - Expanding a malicious archive may cause arbitrary files to be created or overwritten
An issue in the handling of directory traversal symbolic links encountered in archives may cause BOM to create or overwrite files in arbitrary locations accessible to the user expanding the archive. BOM handles archives on behalf of Finder and other applications. This update addresses the issue by ensuring that files expanded from an archive are not placed outside the destination directory.
CFNetwork - Visiting malicious web sites may lead to arbitrary code execution
An integer overflow in the handling of chunked transfer encoding could lead to arbitrary code execution. CFNetwork is used by Safari and other applications. This update addresses the issue by performing additional validation. The issue does not affect systems prior to Mac OS X v10.4.
ClamAV - Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
The ClamAV virus scanning software has been updated to incorporate security fixes in the latest release. ClamAV was introduced in Mac OS X Server v10.4 for email scanning. The most severe of these issues could lead to arbitrary code execution with the privileges of ClamAV. For more information, see the project web site at
http://www.clamav.net.
CoreFoundation - Registration of an untrusted bundle may lead to arbitrary code execution
Under certain circumstances, bundles are implicitly registered by applications or the system. A feature of the bundle API allows dynamic libraries to load and execute when a bundle is registered, even if the client application does not explicitly request it. As a result, arbitrary code may be executed from an untrusted bundle without explicit user interaction. This update addresses the issue by only loading and executing libraries from the bundle at the appropriate time.
CoreFoundation - String conversions to file system representation may lead to arbitrary code execution
An integer underflow during the processing of a boundary condition in CFStringGetFileSystemRepresentation may lead to arbitrary code execution. Applications that use this API or one of the related APIs such as NSFileManager's getFileSystemRepresentation:maxLength:withPath: may trigger the issue and lead to arbitrary code execution. This update adresses the issue by properly handling the boundary conditions.
CoreGraphics - Characters entered into a secure text field can be read by other applications in the same window session
Quartz Event Services provides applications with the ability to observe and alter low-level user input events. Normally, applications cannot intercept events when secure event input is enabled. However, if "Enable access for assistive devices" is on, Quartz Event Services can be used to intercept events even when secure event input is enabled. This update addresses the issue by filtering events when secure event input is enabled. This issue does not affect systems prior to Mac OS X v10.4. Credit to Damien Bobillot for reporting this issue.
Finder - Launching an Internet Location item may lead to arbitrary code execution
Internet Location items are simple URL containers which may reference
http://, ftp://, and file:// URLs, as well as a few other URL schemes. These different types of Internet Location items are visually distinct, and meant to be safe to explicitly launch. However, the scheme of the URL may be different than the Internet Location type. As a result, an attacker may be able to convince a user to launch a supposedly benign item (such as a Web Internet Location,
http://), with the result that some other URL scheme is actually used. In certain circumstances, this may lead to arbitrary code execution. This update addresses the issues by restricting the URL scheme based on the Internet Location type.
FTPServer - FTP operations by authenticated FTP users may lead to arbitrary code execution
Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions.
Flash Player - Playing Flash content may lead to arbitrary code execution
Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at
http://www.macromedia.com. This update addresses the issue by incorporating Flash Player version 8.0.24.0.
ImageIO - Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution
An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brent Simmons of NewsGator Technologies, Inc. for reporting this issue.