The buffer overflow vulnerability affects Mac OS X v.10.4.9, as well as Mac OS X Server v.10.4.9, according to a Monday morning post on Dave Aitel's daily mailing list. Aitel is the founder and CTO of Immunity and the author of a book on hackers. The vulnerability lies in Apple's Bonjour zero-configuration networking service, which is designed to enable automatic discovery of computers, devices, and services on IP networks.
Apple described the vulnerability as a problem in the Internet Gateway Device Standardized Device Control Protocol code, which is used to create port mappings on home NAT gateways in the OS X implementation. By sending a maliciously crafted packet, Apple said an attacker on the local network could trigger the overflow that could lead to an unexpected application termination or arbitrary code execution.
The security update, which was released last Friday, fixes the flaw by performing additional validation when processing protocol packets.
The flaw doesn't affect systems prior to Mac OS X v.10.4.