Apple patches 18 Mac vulnerabilities, ships OS X 10.5.8
Fixes flaws in six critical image file bugs hackers could use to snatch Macs
Computerworld - Apple on Wednesday patched 18 vulnerabilities in Mac OS X, including half a dozen that could let hackers hijack machines by duping users into viewing malicious image files on the Web.
Security Update 2009-003, which was distributed along with Mac OS X 10.5.8 for Leopard users and delivered separately to Tiger users, plugged holes in components ranging from ColorSync and Dock to the kernel and MobileMe, Apple's for-pay sync and storage service.
But it was the six vulnerabilities in various image file formats that caught the eye of Andrew Storms, director of security operations at nCircle Network Security.
"The PNG [Portable Network Graphics] bug is the most interesting," said Storms of the half-dozen image file flaws. "It's a pervasive format that's frequently on Web sites," he added, noting that attackers could trigger the bug simply by getting users to visit malicious sites, a common tactic in the Windows hacker world.
"It's easy enough to host one of these malicious files on [a hacker's] Web site," Storms added.
Apple patched four flaws in the ImageIO component of the Mac's operating system related to its handling of OpenEXR images, a format developed by Lucasfilm's Industrial Light and Magic visual effects studio in 1999 and released to open-source four years later. The sixth image vulnerability, also in ImageIO, could be exploited by malformed Canon RAW photographic files.
Today's security release was Apple's smallest this year by vulnerability count. In May, for example, the California-based computer company quashed 67 bugs, while February's security update patched 55.
Storms saw other oddities this time around. "Usually, we see a lot of Safari or WebKit vulnerabilities, or bugs in a lot of third-party components," he said. "Today, we got neither."
Two of the bugs Apple called out in its advisory affect Safari, but the flaws are not actually found in the browser. And with the exception of one vulnerability in the "bzip2" open-source data-compressor, all of today's bugs were within Apple's own code.
Storms also called attention to the MobileMe vulnerability, which, although not serious, could be used by unscrupulous friends or co-workers to access someone's account. "A logic issue exists in the MobileMe preference pane," Apple said in the advisory. "Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account."
"This one's important only because MobileMe is such a big application for Apple," argued Storms.
More than half of the vulnerabilities -- 10 of the 18 -- were labeled with Apple's "arbitrary code execution" phrase, meaning the flaws are critical and could be exploited to compromise a Mac. Unlike other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts