iTnews

Apple releases hefty package of OS X fixes

By Dan Kaplan on Dec 19, 2007 10:03AM
Apple releases hefty package of OS X fixes

Apple has issued patches to correct at least 40 vulnerabilities in its Mac operating system that could permit an attacker to install malicious software on a victim's machine

Rated “highly critical” by vulnerability tracking firm Secunia, the security update resolves bugs in a number of Mac OS X components, including Address Book, Flash Player Plug-in, iChat, Mail, Safari and Samba.

The holes mostly rely on social engineering to succeed, experts said.

“A lot of these are client-side vulnerabilities, meaning the client has to perform some sort of action, like visiting a website that has been exploited or opening a mail attachment,” Jonathan Bitle, manager of technical accounts at Qualys, told SCMagazineUS.com.

To close a cross-site scripting vulnerability, Apple late Monday also delivered a single fix for the Safari 3 web browser beta for Windows.

The patch bundles arrived four days after the Cupertino, Calif.-based computing giant distributed its first Java security update since September 2005, in addition to a fix for a dangerous vulnerability in the QuickTime player.

The OS X fixes affect both the Tiger (10.4) and recently released Leopard (10.5) versions.

This includes an issue with Launch Services, an application programming interface that lets a running application open other applications or documents. According to Apple, the hole could have allowed executables embedded in mail attachments to run without warning when a user opened a mail attachment.

Experts said Apple has released a plethora of Mac OS X-related fixes this year, some of which corrected vulnerabilities that were being actively exploited. However, those particular flaws mostly reside in technologies not owned by Apple and therefore were being exploited on the Windows platform.

“We've seen a huge year of releases,” Bitle said. “Month after month, we've had significant updates from Apple...Some are very worrisome from a security perspective, but on the other hand, they are doing their very utmost in fixing these security issues.”

Mike Romo, Mac product manager at Symantec, said he attributes the hefty Mac fixes to a number of factors.

For one, the increasing market share is prompting researchers to pay more attention to the platform and not solely focus on Windows. Also, developers these days are writing a number of different applications for multiple platforms, which opens the door for increased vulnerabilities.

Mac machines also face additional flaws because they used to run on PowerPC chips, but the latest systems are all transitioning to an Intel-based architecture, for which developers are creating new applications and software that may contain holes.

But Mac enthusiasts should be encouraged by Apple's commitment to fixes, Romo said. Many are reported by users.

“I think it shows that the fabled Mac community is as tight as ever,” he said. “You have such an aggressive user population who cares for the platform so deeply.”

Bitle said he expects Apple to soon release patches in much the same way as Microsoft, which currently offers pre-delivery notifications and more detailed information on the severity levels of the fixes.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
apple patches apple vulnerabilities apples latest patches patch management patch os x security

Partner Content

What is zero trust cybersecurity?
Partner Content What is zero trust cybersecurity?
Nestlé subsidiary sees sweet returns from data-driven transformation
Partner Content Nestlé subsidiary sees sweet returns from data-driven transformation
What conversations should executives be having about cyber security?
Partner Content What conversations should executives be having about cyber security?
COVID puts agile IT under the microscope
Promoted Content COVID puts agile IT under the microscope

Sponsored Whitepapers

Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords
The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Dan Kaplan
Dec 19 2007
10:03AM
0 Comments

Related Articles

  • Okta to buy Auth0 for $8.3 billion
  • Avast boosted by work-from-home trend
  • Urgent patches out for exploited Exchange Server zero-days
  • Oxfam Australia confirms 'supporter' data accessed in cyber attack
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

CBA becomes first 'Big 4' data recipient under CDR

CBA becomes first 'Big 4' data recipient under CDR

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

NSW Police green-lights Mark43 for $1bn COPS overhaul

NSW Police green-lights Mark43 for $1bn COPS overhaul

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.