Apple delivers jumbo security update for Mac OS X

Patches 67 bugs, including two used to hack Macs at Pwn2Own contest

Apple today patched 67 vulnerabilities in Mac OS X, including two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.

Tuesday's update was the largest for Apple since March 2008.

"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.

Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.

More than a third of the vulnerabilities - 26 of the 67 - were labeled with Apple's "arbitrary code execution" description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.

Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache Web server and the WebKit browser rendering engine that powers Safari. "I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."

"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.

Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.

But the highest-profile vulnerabilities today - if only because they attracted so much media attention -- were the two bugs used at "Pwn2Own," the annual hacking contest sponsored by 3Com's TippingPoint.

Last March, Charlie Miller, an analyst at Independent Security Evaluators in Baltimore, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in Researcher cracks Mac in 10 seconds at PWN2OWN, wins $5k. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.

Apple patched both vulnerabilities today, nearly two months after the contest. Mozilla, in comparison, patched its Firefox browser - which Nils also hacked at the CanSecWest security conference on the same day he broke Internet Explorer 8 and Safari - on March 27.

Storms was struck by the contrast between Apple's update and the one that Microsoft unveiled earlier today. "Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities. And Apple comes out with [an update with] 67 bugs," he noted. "It's a 'I coulda had a V8' moment, where you slap your forehead," Storms continued. "It's like history changed in front of my eyes."

Critical of Apple's security practices in the past, Storms didn't let up today. "Who really knew that OS X was this insecure?" he said. "This has to be a wake-up call for somebody."

He did not, however, hit the quality of Apple's patches. "The quality on both sides is good," he said. "I don't see a difference in quality between the two [Apple and Microsoft]." Instead, he focused on the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches.

"Macs really still aren't an enterprise tool," he said, "even though Apple's marketing likes to say that they are, and that they're used in enterprises."

Apple last patched its operating system in mid-February 2009, when it fixed 48 vulnerabilities. Today's patch tally was 40% larger, and the biggest since that 90-fix update 14 months ago.

Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.

The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?