Apple delivers jumbo security update for Mac OS X
Patches 67 bugs, including two used to hack Macs at Pwn2Own contest
Computerworld - Apple Inc. today patched 67 vulnerabilities in Mac OS X, including two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.
Tuesday's update was the largest for Apple since March 2008.
"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.
Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.
More than a third of the vulnerabilities -- 26 of the 67 -- were labeled with Apple's "arbitrary code execution" description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.
Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache Web server and the WebKit browser rendering engine that powers Safari. "I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."
"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.
Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.
But the highest-profile vulnerabilities today -- if only because they attracted so much media attention -- were the two bugs used at "Pwn2Own," the annual hacking contest sponsored by 3Com's TippingPoint.
Last March, Charlie Miller, an analyst at Independent Security Evaluators in Baltimore, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in less than 10 seconds. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Market Overview: Digital Customer Experience Delivery Platforms Forrester states that businesses today struggle to understand and use the tools necessary to create and manage unified, multichannel digital customer experiences across...
- The Growing Demand for Rich Media This white paper discusses how IBM Customer Experience Suite Rich Media Edition can automate rich media workflows, from collaborating with creative agencies and...
- The Next Generation Employee Experience This white paper from IBM, showcases five organizations that are strategically integrating emerging social software and tools with their existing investments and seeing...
- Jyske Bank extends brand message to more than one million visitors a month IBM WebSphere Portal software helps bank offer a clearly differentiated digital experience
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Mac OS X White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!