Apple delivers record monster security update
Patches 92 bugs in Leopard, Snow Leopard; no fix for Pwn2Own vulnerability
Computerworld - Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.
Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple's largest patched 67 vulnerabilities.
"The sheer number, it's almost so daunting that you don't even want to look," said Andrew Storms, director of security operations at nCircle Network Security.
Today's security roll-up fixed flaws in 42 different applications or operating system components in Mac OS X, from AppKit and Application Firewall to unzip and X11, the Mac's version of the X Window System.
Eighteen of the vulnerabilities were specific to the older Leopard operating system, while 29 were specific to Snow Leopard. The remaining 45 affected both, which are the only editions that Apple currently supports. Users running Leopard will patch 63 vulnerabilities, while Snow Leopard users face a total of 74 flaws.
The update brings Snow Leopard to version 10.6.3, making this the third major update to the OS that Apple launched in August 2009. Apple also addressed a list of nearly 30 non-security issues in the 10.6.3 update. Leopard users, meanwhile, received only the security patches.
More than 40% of the vulnerabilities patched today, 37 out of the 92, were accompanied by the phrase "may lead to arbitrary code execution," which is Apple's way of saying that a flaw is critical and could be used by attackers to hijack a Mac. Apple does not assign ratings or severity scores to the bugs it patches, unlike other major software makers, such as Microsoft and Oracle.
Among the most noticeable patches were nine affecting QuickTime, Apple's media player, in Snow Leopard. All nine were rated critical; six had been reported to Apple by 3Com TippingPoint, which runs a bug bounty program called Zero Day Initiative.
TippingPoint was in the news much of last week as it again sponsored the Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, British Columbia. The company handed out $45,000 in prizes to five researchers for hacking the iPhone, as well as Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox browsers.
Charlie Miller, the researcher who cracked Snow Leopard's security defenses to take down Safari, said today that Apple had not patched the vulnerability he used last Wednesday. "New patch doesn't fix pwn2own bug," Miller said via Twitter. "Sorry suckers, gonna have to wait for the next patch."
The timing of today's monster update didn't come as a surprise to nCircle's Storms. "It's not suprising that they patched QuickTime, what with the pending iPad release," he said today, referring to the April 3 on-sale date for Apple's new media tablet. Apple typically updates its iTunes music software, and the accompanying QuickTime player, before it releases new products that call on the former. The iPad will use the iTunes store to serve up applications and media content to customers.
"For the same reason, I'm going to guess that Apple will also update the iPhone OS this week," Storms added.
The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts