Apple delivers jumbo security update for Mac OS X
Patches 67 bugs, including two used to hack Macs at Pwn2Own contest
Computerworld - Apple Inc. today patched 67 vulnerabilities in Mac OS X, including two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.
Tuesday's update was the largest for Apple since March 2008.
"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.
Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.
More than a third of the vulnerabilities -- 26 of the 67 -- were labeled with Apple's "arbitrary code execution" description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.
Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache Web server and the WebKit browser rendering engine that powers Safari. "I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."
"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.
Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.
But the highest-profile vulnerabilities today -- if only because they attracted so much media attention -- were the two bugs used at "Pwn2Own," the annual hacking contest sponsored by 3Com's TippingPoint.
Last March, Charlie Miller, an analyst at Independent Security Evaluators in Baltimore, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in less than 10 seconds. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Best Practices in BYOD: BlackBerry Enterprise Service 10 Manageability, security and support - these are just a few of the reasons BlackBerry® Enterprise Service 10 is such a powerful Enterprise Mobility...
- How to Migrate from BlackBerry Enterprise Server v4.0 or v5.0 to BlackBerry Enterprise Service 10 With BlackBerry® Enterprise Service 10, you can manage your entire mobile fleet through a single, unified interface. Find out how to make the...
- Choosing an MDM Platform: Where to Start the Conversation If you're in the early stages of choosing an MDM solution, or you're considering switching vendors, here are seven critical questions to ask...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Mac OS X White Papers | Webcasts