Apple releases hefty package of OS X fixes

Rated “highly critical” by vulnerability tracking firm Secunia, the security update resolves bugs in a number of Mac OS X components, including Address Book, Flash Player Plug-in, iChat, Mail, Safari and Samba.

The holes mostly rely on social engineering to succeed, experts said.

“A lot of these are client-side vulnerabilities, meaning the client has to perform some sort of action, like visiting a website that has been exploited or opening a mail attachment,” Jonathan Bitle, manager of technical accounts at Qualys, told SCMagazineUS.com.

To close a cross-site scripting vulnerability, Apple late Monday also delivered a single fix for the Safari 3 web browser beta for Windows.

The patch bundles arrived four days after the Cupertino, Calif.-based computing giant distributed its first Java security update since September 2005, in addition to a fix for a dangerous vulnerability in the QuickTime player.

The OS X fixes affect both the Tiger (10.4) and recently released Leopard (10.5) versions.

This includes an issue with Launch Services, an application programming interface that lets a running application open other applications or documents. According to Apple, the hole could have allowed executables embedded in mail attachments to run without warning when a user opened a mail attachment.

Experts said Apple has released a plethora of Mac OS X-related fixes this year, some of which corrected vulnerabilities that were being actively exploited. However, those particular flaws mostly reside in technologies not owned by Apple and therefore were being exploited on the Windows platform.

“We've seen a huge year of releases,” Bitle said. “Month after month, we've had significant updates from Apple...Some are very worrisome from a security perspective, but on the other hand, they are doing their very utmost in fixing these security issues.”

Mike Romo, Mac product manager at Symantec, said he attributes the hefty Mac fixes to a number of factors.

For one, the increasing market share is prompting researchers to pay more attention to the platform and not solely focus on Windows. Also, developers these days are writing a number of different applications for multiple platforms, which opens the door for increased vulnerabilities.

Mac machines also face additional flaws because they used to run on PowerPC chips, but the latest systems are all transitioning to an Intel-based architecture, for which developers are creating new applications and software that may contain holes.

But Mac enthusiasts should be encouraged by Apple's commitment to fixes, Romo said. Many are reported by users.

“I think it shows that the fabled Mac community is as tight as ever,” he said. “You have such an aggressive user population who cares for the platform so deeply.”

Bitle said he expects Apple to soon release patches in much the same way as Microsoft, which currently offers pre-delivery notifications and more detailed information on the severity levels of the fixes.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition

patch managementsecurity