Patch/Configuration Management, Vulnerability Management

Apple delivers record Mac OS X security update

Apple late Tuesday issued its largest Mac OS X security update ever, delivering fixes for more than 80 vulnerabilities.

The “highly critical” flaws, which exist across a number of applications and components in OS X 10.4 (code-named Tiger) and 10.5 (Leopard), might permit security bypass, privilege escalation and system takeover, according to vulnerability tracking firm Secunia.

“I actually didn't count every single bug in it, but it's biggest I've seen in memory,” Peter James, a spokesman for Mac security vendor Intego, told SCMagazineUS.com on Tuesday. “What's interesting is that a lot of things that are fixed have a lot of issues.”

Roughly half of the updates addressed problems in third-party software that is bundled with the OS X, such as the Apache web server (10 flaws), PHP programming language (10) and ClamAV anti-virus (19), James said. The latter offering is shipped with the OS X server.

“Apple does depend on a lot of outside software, open-source or not,” he said. “While they're not responsible for it, where there are problems with this software, it could eventually affect Mac OS X.”

Holes were also plugged in many other components, including the CUPS printer services, Core Foundation and AFP (Apple Filing Protocol). The most interesting fix may have involved a mistaken German translation included in the application firewall preference plug-in, James said.

Meanwhile, Apple also released an update to its Safari web browser, plugging 13 vulnerabilities, many of which could be exploited by attackers to launch cross-site scripting attacks.

The security update is by far OS X's largest on record, and many Mac enthusiasts were left wondering why the company failed to push out patches as third-party updates became available.

“There are a lot of people asking on blogs and websites, ‘Why didn't they do this progressively?'” James said. “It's like they were saving up to drop as many things as they could at a single time.”

Jennifer Hakes, an Apple spokeswoman, did not respond to a request for comment.

News of the security update comes on the heels of new research from NPD that shows Macs last month accounted for 14 percent of all U.S.-based PC retail sales, up 60 percent from the same period one year ago.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.