Apple releases monster patch bulletin for OS X
The release of OS X version 10.4.11 fixes 41 security flaws, 13 of which allow the execution of arbitrary code.
Three fixes target issues in OS X that allow cross-site scripting attacks.
Apple fixed flaws in widely used OS X applications, including a vulnerability in Flash Player Plug-in that could allow arbitrary code execution if a user opens maliciously crafted Flash content.
Two patches fixed flaws in Safari, Apple's web browser. One vulnerability could be exploited by a maliciously crafted file to run arbitrary code; the other, an issue in Safari's tabbed browsing feature, could result in the disclosure of user credentials.
Numerous OS X applications were patched more than once by version 10.4.11. WebCore was fixed nine times, Kernel six times, Networking five and WebKit three.
Andrew Storms, director of security operations at nCircle, a network solutions vendor, told SCMagazine US.com today that Apple is fixing core OS X issues as well as applications developed with outside help.
“Certainly the Kernel patches stand out quite a bit because you're talking core OS X. Anytime you have to patch a kernel, it's a big deal for the entire operating system,” he said. “BIND, bzip2, and parts of WebKit come from the open source, and they stand out to me because that's the part of Apple's OS that is not developed [by company researchers]. That's where hackers have been spending their time.”
The release marks Apple's first update for OS X since June 22, when the Cupertino, Calif.-based technology giant released three patches in one week.
The update could mark the end of an era for Apple patches, according to Storms.
“I think that one thing we can look into is that this may be the last security update for OS X 10.4,” he said. “My sense is that they released Leopard with all of these fixes already made.”
Apple also released Safari 3 Beta Update 3.0.4, which contains eight fixes for the web browser on Microsoft's XP and Vista operating systems.
Two of the patches are for Safari, three each are for WebCore and WebKit.
Apple on Monday released fixes for the iPhone and iPod Touch, and it distributed a patch for QuickTime 7.3 last week.
Amol Sarwate, director of Qualys' vulnerability research lab, told SCMagazineUS.com today that the patch distribution indicates a growing emphasis on client-side threats.
“If you look at the impact of a lot of these advisories, there is the threat of arbitrary code execution, and what that means is that if someone constructs a file, such as a Flash file, and someone listens to that file or downloads that file, arbitrary code will execute on users' machines,” he said. “This contributes to a growing trend of client-side issues that attackers are targeting, instead of going after servers that are typically [looked after] by administrators.”