Apple patches 45 vulnerabilities, updates Mac OS X to 10.4.9

Computerworld - Apple Inc. yesterday made up for Microsoft Corp.'s patch sabbatical by releasing a security update that featured fixes for 45 vulnerabilities, a third of which addressed flaws first made public during a pair of "bug-a-day" projects in late 2006 and early this year.

"They are obviously making an effort to get some of the issues that were uncovered in January out the door and patched up," Kevin Finisterre, who co-hosted January's Month of Apple Bugs (MoAB), said in an e-mail interview.

Security Update 2007-003 contained patches for 45 bugs in the operating system and several third-party applications bundled with Mac OS, including Adobe Systems Inc.'s Flash multimedia player, MySQL Server and OpenSSH. Two-thirds of the vulnerabilities, said Apple, could lead to "arbitrary code execution," the phrase security researchers typically equate with the most critical kinds of flaws.

The update fixed a flaw in the operating system's own Software Update mechanism, one of the nine made public by MoAB. If an attacker duped a user into downloading a malformed update file, he could trigger the vulnerability; the result might range from a crash of the update software to an ability to inject malicious code onto the Macintosh. Other flaws from MoAB and the November 2006 Month of Kernel Bugs (MoKB) that were fixed include six related to possibly malicious disk images and a buffer-overflow bug in AppleTalk.

For the most part, Apple has done right by its users in patching the publicized bugs, said Finisterre. "In all honesty, some of the MoAB bugs are some of the faster bug fixes I have seen out of Apple," he said. "It's good to see."

Finisterre could point to only one egregious flaw from MoAB that Apple hasn't fixed. "One of the blatant, easy local root exploits still exists in System Preferences. But it seems clear that [Apple] fixed quite a few of the critical issues."

The System Preferences bug was disclosed during the MoAB on Jan. 21.

Plenty of non-MoAB/MoKB vulnerabilities were also patched in yesterday's security update, including seven for MySQL, five for OpenSSH, and several in image parsing.

Simultaneous with the security release, Apple also upgraded Mac OS X to Version 10.4.9 with nonsecurity improvements, enhancements and tweaks. The ninth update since 10.4, a.k.a. Tiger, debuted in April 2005, the upgrade boasts improved application launch speed, enhanced Dashboard stability, support for the RAW image format, mouse scrolling and keyboard shortcuts, and last-minute daylight-saving time changes.

A much larger combination update package -- it weighs in at 310MB for Intel-based Macs -- is also available. The combo updater, which can be used on all Mac OS X 10.4 systems, includes updated ATI and nVidia graphics drivers, improvements to the Spotlight search engine and the ability to view QuickTime media streams from behind a firewall.

Yesterday's security update was Apple's seventh this year, and its patch count brings the company's year-to-date total to 64. Although Microsoft spared its customers a security update this month, it has released 16 bulletins and patched 30 vulnerabilities since Jan. 1.