Apple patches protect users from drive-by attacks

By on

Just in time for iPad 2 release, Safari browser flaws fixed in Snow Leopard.

Apple on Tuesday released an upgrade to its operating system, Mac OS X 10.6.7, as well as issued Security Update 2011-001 for Mac OS X 10.5.

They fixed the same security issues in Apple products, including the general operating systems of Snow Leopard and Leopard, Apple's Safari 5.0.4 web browser, the App Store and AirPort driver, the company's local area wireless networking product.

The update had fixes for Windows file sharing and Apple'smBack to My Mac remote connectivity system, affecting encrypted connections between computers using IPSec, and a number of updates for third-party software, such as Apache and PHP.

Image and font rendering subsystems were patched, and media viewing in QuickTime, the company's multimedia platform. The vulnerabilities might have allowed downloaded files to inject code and shut down systems. When connected to Wi-Fi, its AirPort server could have allowed an attacker on the same network to enable a system reset.

As well, a number of vulnerabilities, some that might have allowed arbitrary code execution, were patched in ClamAV, a virus scanner used in Apple's email service.

Apple said it improved stability of web pages with plug-in content, and image reflections and transition effects, fixed an issue that could render layouts incorrectly when printing, and improved Apple's screen-reading technology VoiceOver.

Another fix, for ImageIO, corrected an integer overflow issue when viewing a maliciously crafted JPEG-encoded TIFF image that could have resulted in an application termination or arbitrary code execution. Similarly patched were buffer overflow issues in maliciously crafted Canon RAW images that also could lead to application termination or arbitrary code execution.

"Nothing jumps out as earth-shattering, but users should patch as soon as possible," said Chet Wisniewski, a Sophos senior security adviser.

He said among the fixes, the updates to Safari were most important. Flaws in the browser he observed at a trade show two weeks ago were fixed in today's release.

Writing on his blog, Graham Cluley, a senior technology consultant at Sophos, agreed with Wisniewski's assessment. He pointed out that while Apple doesn't assign severity levels to its products' security vulnerabilities, the bugs in its web browser Safari "look pretty critical to me". Most of the 62 bugs were exploited just by a user visiting a maliciously crafted website, he wrote.

A good enough reason to install the update, Cluley advised.

"There is no reason to panic," Wisniewski said. "But when the patch is out, do the right thing."

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?