Apple Inc. yesterday released a security update for Mac OS X that patched 45 vulnerabilities, including several in the open-source Samba file-sharing code that researchers recently warned still threatened users more than 10 weeks after the discovery of critical bugs.
The 2007-007 update for Mac OS X 10.3, also known as "Panther," and 10.4, a.k.a. "Tiger," fixes a total of 45 bugs, at least 17 of which Apple acknowledged could lead to hackers executing attack code. Although Apple does not rate vulnerabilities as Microsoft Corp. and other companies do, the flaws it pegs as possibly leading to "arbitrary code execution" would rank as "critical" in other vendors' threat-scoring systems.
Among the components of Mac OS X patched yesterday were CFNetwork, the Mac OS X library of network protocols; CoreAudio, the application programming interface that handles sound on Macs; the zgrep file-compression utility; iChat; and WebCore, the part of the WebKit application framework that handles HTML rendering.
Nearly three-fourths of the vulnerabilities patched in 2007-007 were in open-source software that Apple blends with its proprietary code to create Mac OS X and its supporting applications. Multiple bug fixes, for instance, were included in the update for open-source programs such as Kerberos, PHP, Samba, SquirrelMail and Tomcat. In most instances, Apple declined to specify the effect of each bug in the open-source software, instead simply pointing users to the relevant project page. Those open-source projects, however, rarely spell out security fixes in formats or language accessible to all but the most technically-astute users.
Prominent in the update, if only because they have recently been in the news, were three patches for Samba, the open-source file- and print-sharing software included with Mac OS X. Late last week, Symantec Corp. researchers reminded users that the flaws, revealed and patched on May 14, remained a dangerous threat. Exploit code effective against Macintosh computers had been in circulation during much of July.
Apple also patched several cross-site scripting, information-disclosure, and code-execution flaws in the underlying code used by the Safari browser. Included in that category was a fix for a Safari vulnerability that had been unveiled by a trio of security researchers last week and that was used to exploit the iPhone's version of Safari. Although the danger was smaller on a Mac than on the iPhone -- hacking Safari on the mobile device gives attackers complete access to the hardware and all its data -- Apple warned that the bug in Mac OS X's edition of Safari could still result in successful attack code.
Mac users can download the updates -- the set for Intel Macs weighs in at nearly 26MB -- from the Apple site or retrieve them using the operating system's integrated update feature.
The beta of Safari 3, the next-generation browser that Apple is testing on both Mac and Windows machines, also was targeted by several patches yesterday. Safari 3.0.3 fixes four flaws, two of which are vulnerabilities carried over from old code; the same bugs were disclosed and patched for Version 2 of Safari, which is bundled with Tiger, Mac OS X 10.4.
Old-code bugs are not an Apple-only problem. Researchers have found multiple vulnerabilities in Microsoft's Windows Vista that also live in earlier editions of the operating system, a finding that has proved to be an embarrassment to Microsoft, which aggressively touted new security development procedures it claimed would weed out such bugs.
Windows users of Safari 3 can update to 3.0.3 by downloading the new version or by running the optional Apple Software Update utility.