Apple releases Mac OS X 10.6.3 and security update for Leopard

Australian Macworld staff
30 March, 2010
View more articles fromthe author

Apple has released Mac OS X 10.6.3, the latest update to Mac OS X Snow Leopard. The update is recommended for all users of Snow Leopard, and brings a number of fixes, improvements, and security patches. The update’s size may vary depending on the configuration of your Mac.

Included in this latest update are many fixes and improvements, for issues as far-ranging as updated Daylight Savings Time rules for Antarctica to improved reliability of iDisk syncing. Apple also specifically calls out one larger change: Mac OS X 10.6.3 can automatically collect diagnostic and usage information from your Mac and send it to Apple for analysis, with the end goal of improving Apple’s products and services. The data submission—which is prompted by actions like force quitting applications, kernel panics, and system errors—is sent anonymously to Apple and is only collected with the user’s explicit consent. This seems to be an extension of Apple’s current system for submitting information upon program crashes.

Other systems to see updates include QuickTime X, which now sports improved reliability and compatibility; AirPort, which improves a slew of reliability issues, from general wireless connectivity to sleep and wake for current iMac models on 2.4GHz wireless networks; and File Services, which fixes issues for copying, renaming, and deleting files on SMB servers as well as a problem where Microsoft Office 2008 files might not save to an SMB server.

In addition, iCal has three fixed bugs, one where changing an invitation list for a instance of a recurring event “un-booked” the location of the meeting, and two related to Microsoft Exchange events. Apple fixed an issue in Mail that caused background message colors to display incorrectly, as well as a pair of problems related to Microsoft Exchange: one where the Sent mailbox wasn’t correctly synced, and another slightly more frightening one that could make Mail delete mailboxes on an Exchange server hosted behind a load balancer.

In addition to improved iDisk syncing, other updates for MobileMe correct an issue where movies hosted in the service’s gallery couldn’t be viewed in Safari and improve calendar syncing reliability. A handful of Time Machine fixes include more reliable Time Machine-to-Time Capsule backups, a fix for a problem where a Time Machine backup might not work over an AirPort connection, and an issue with Time Machine where system backups could be restored onto unsupported Mac configurations.

In addition to these and several other bug fixes and feature enhancements, 10.6.3 also brings a plethora of security patches for Mac OS X, including fixes for AFP Server, the Application Firewall, QuickTime, CoreAudio, Disk Image, Directory Services, and more. Several fixes are credited to Tipping Point’s Zero Day Initiative, which recently sponsored the Pwn2Own contest at CanSecWest where security researcher Charlie Miller demonstrated a number of vulnerabilities in Mac OS X.

Given that Miller said he wouldn’t hand over the vulnerabilities, but rather show Apple how he found them, it’s unclear whether or not the holes he showed off are fixed by this update, but he’s not explicitly credited anywhere.

Apple also updated Mac OS X Server to version 10.6.3, adding general stability improvements as well as specific fixes for systems like Calendar Service, Mail Service, Directory Service, Podcast Producer, and more. Also included are the same security patches applied to the client version of Mac OS X 10.6.3.

Both the Mac OS X 10.6.3 update and Mac OS X Server 10.6.3 update are available from Apple’s download site or via Software Update.

Security update for Leopard and Snow Leopard

Apple has also issued a security update for users of Leopard and Snow Leopard. Security Update 2010-002 is included with the Mac OS X 10.6.3 update; Leopard users can download the update separately for client and server versions of Mac OS X 10.5.

The release notes for Security Update 2010-002 outline 69 changes across Leopard and Snow Leopard. The update focuses on closing would-be vulnerabilities that could have subjected your Mac to remote attacks, malicious code, or applications quitting unexpectedly.

QuickTime alone accounts for nine of the fixes in the release. The updates tackle a heap buffer overflow in the way the multimedia applications handles movies encoded in H.263, H.261, RLE, M-JPEG, FLC, and MPEG. Also addressed are memory corruptions in how QuickTime handles H.264- and Sorenson-encoded movie files.

iChat Server gets four fixes. An implementation issue in jabberd’s handling of SASL negotiation that could have let remote attackers cause a denial of service has been addressed. The update also fixes an issue where chat messages may not be logged or authenticated users could have caused applications to quit unexpectedly or arbitrary code to be executed.

Other changes of note in Security Update 2010-002 include:

  • a pair of fixes to CoreAudio that tackle memory corruption issues in the handling of QDM2- and QDMC-encoded audio content;
  • the addition of .ibplugin and .url to the system’s list of content types that OS X will flag as potentially unsafe under certain circumstances;
  • a change that ensures that copied files are owned by the user performing the copy in OS X 10.6;
  • fixes that address a memory corruption issue in the handling of bzip2 compressed disk images and a design issue in the handling of Internet-enable disk images;
  • fixes to buffer overflows that exist in Image RAW’s handling of NEF and PEF images; and
  • a fix for a logic issue in how Mail handles encryption certificates.

Security changes are included with the OS X 10.6.3 update available from Software Update or Apple’s support download site. That page lists Security Update 2010-002 as a 78.39MB download for Leopard client users and a 361.40MB download for Leopard Server.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us