Apple delivers jumbo security update for Mac OS X

Patches 67 bugs, including two used to hack Macs at Pwn2Own contest

Apple today patched 67 vulnerabilities in Mac OS X, including two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.

Tuesday's update was the largest for Apple since March 2008.

"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.

Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.

More than a third of the vulnerabilities - 26 of the 67 - were labeled with Apple's "arbitrary code execution" description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.

Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache Web server and the WebKit browser rendering engine that powers Safari. "I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."

"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.

Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.

But the highest-profile vulnerabilities today - if only because they attracted so much media attention -- were the two bugs used at "Pwn2Own," the annual hacking contest sponsored by 3Com's TippingPoint.

Last March, Charlie Miller, an analyst at Independent Security Evaluators in Baltimore, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in Researcher cracks Mac in 10 seconds at PWN2OWN, wins $5k. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.

Apple patched both vulnerabilities today, nearly two months after the contest. Mozilla, in comparison, patched its Firefox browser - which Nils also hacked at the CanSecWest security conference on the same day he broke Internet Explorer 8 and Safari - on March 27.

Storms was struck by the contrast between Apple's update and the one that Microsoft unveiled earlier today. "Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities. And Apple comes out with [an update with] 67 bugs," he noted. "It's a 'I coulda had a V8' moment, where you slap your forehead," Storms continued. "It's like history changed in front of my eyes."

Critical of Apple's security practices in the past, Storms didn't let up today. "Who really knew that OS X was this insecure?" he said. "This has to be a wake-up call for somebody."

He did not, however, hit the quality of Apple's patches. "The quality on both sides is good," he said. "I don't see a difference in quality between the two [Apple and Microsoft]." Instead, he focused on the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches.

"Macs really still aren't an enterprise tool," he said, "even though Apple's marketing likes to say that they are, and that they're used in enterprises."

Apple last patched its operating system in mid-February 2009, when it fixed 48 vulnerabilities. Today's patch tally was 40% larger, and the biggest since that 90-fix update 14 months ago.

Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.

The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?