A flaw in the OS X CoreGraphics component can be considered the most serious flaw. It could allow an attacker to remotely execute code on a user's machine through the use of a specially-crafted PDF file. The vulnerability only effects OS X 10.4.9 and OS X Server 10.4.9.
Apple didn't say if the code execution is confined to the limited privileges of the current user, or if attackers could execute code at the root level.
Attackers could also target OS X's "file" for remote code execution. That vulnerability affects all versions of MacOS 10.3 and 10.4.
No other components suffered from remote execution vulnerabilities, which are considered to be the most severe flaws.
A flaw in the Fetchmail component meanwhile could allow attackers to steal a user's email password. Fetchmail is a component used to download e-mails into a user's local machine. Apple said that the component may not adequately encrypt the password.
Vulnerabilities in Apple's iChat messaging software and mDNSResponder system component were also patched. Both vulnerabilities could be exploited to remotely execute code, but required the attacker to be on a local network with the target machine.
The company also fixed a vulnerability in the way that OS X handles disk images. Apple warned that by convincing a user to mount two identically-named disk images, an attacker would be able to disguise a piece of malicious software as a legitimate application or document.
The security update is available through Apple's software update system component or as a download from the company's website.
Baker's dozen in latest Apple security update
By Shaun Nichols on May 25, 2007 2:11PM