Apple patches 40 Mac OS X security bugs
Flash Player updated; at least one iCal flaw fixed
The year's third update fixed fewer than half as many flaws as the previous collection, which Apple issued two months ago to plug nearly 90 holes.
Apple tagged 16 of the 40 patches in Wednesday's update with its "arbitrary code execution" phrasing, putting them into the category most other vendors would label "critical."
According to the Security Update 2008-003 advisory, the most-patched components by vulnerability count were Apple's version of the Apache open-source Web server (eight bugs fixed) and the version of Adobe's Flash Player that Apple tucks into Mac OS X (seven flaws patched).
Fixes to Flash Player, said Apple in its Security Update 2008-003 advisory, update the popular multimedia player application to Version 126.96.36.199, the one currently available for download from Adobe itself. Adobe released that version nearly two months ago to patch the same seven vulnerabilities Apple fixed yesterday. Among the seven was one used to claim a $5,000 prize at a hacker challenge in late March.
Coincidentally, earlier versions of Flash Player are currently being exploited by attackers who have hacked legitimate Web sites and are infecting Windows users with a variety of malware.
Also notable in the update was a fix for one of three iCal vulnerabilities that had been disclosed last week by Core Security Technologies. Apple patched the most serious of the trio, marked as CVE-2008-1035, Core's chief technology officer, Ivan Arce, confirmed today. "Yes, I can say that they patched the most serious of the vulnerabilities, but I cannot confirm that they have patched, or haven't patched, the other two."
Core reported the three iCal bugs to Apple in January 2008, and then went public with information about the vulnerabilities last week after it tired of Apple's patch delays. Core's researchers and Apple's security team also disagreed over the severity of the two bugs still unpatched, according to notes Core posted online.
Arce confirmed the disagreements last week in an interview, and mentioned them again today. After several rounds of e-mail messages, he said, Core told Apple that it appeared the two lesser vulnerabilities were "crash-only," and could not be used to inject malicious code. "But that doesn't mean that they're not security bugs," Arce argued last week.
"If you look at our timeline, you'll see that there was some disagreement about whether the two bugs were security bugs," Arce said today. According to that timeline, Apple said it wanted to classify the two vulnerabilities as having "no security-related consequences." Core disagreed.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Mac OS X White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!