Patch/Configuration Management, Vulnerability Management

Apple issues slew of patches

Apple on Tuesday released an upgrade to its operating system, Mac OS X 10.6.7, as well as issued Security Update 2011-001 for Mac OS X 10.5.

The two sets of upgrades address essentially the same security and other issues in a wide range of Apple products, including the general operating systems of Snow Leopard and Leopard, Apple's Safari 5.0.4 web browser, the App Store and AirPort driver, the company's local area wireless networking product.

In addition, the update offers fixes for Windows file sharing and the company's Back to My Mac remote connectivity system, affecting encrypted connections between computers using IPSec, and a number of updates for third-party software, such as Apache and PHP.

Image and font rendering subsystems were patched, as well as media viewing in QuickTime, the company's multimedia platform. The vulnerabilities might have allowed downloaded files to inject code and shut down systems. When connected to Wi-Fi, its AirPort server could have allowed an attacker on the same network to enable a system reset.

As well, a number of vulnerabilities, some that might have allowed arbitrary code execution, were patched in ClamAV, a virus scanner used in Apple's email service.

According to an announcement, the software update also improves stability of web pages with plug-in content, as well as image reflections and transition effects, fixes an issue that could render layouts incorrectly when printing, and improves Apple's screen-reading technology VoiceOver.

Another fix, for ImageIO, corrected an integer overflow issue when viewing a maliciously crafted JPEG-encoded TIFF image that could have resulted in an application termination or arbitrary code execution. Similarly patched were a number of buffer overflow issues that existed in maliciously crafted Canon RAW images that also could lead to application termination or arbitrary code execution.

"Nothing jumps out as earth-shattering, but users should patch as soon as possible," Chet Wisniewski (left), senior security adviser at Sophos Canada, told on Tuesday. He said among the fixes, the updates to Safari were most important. Several flaws in the browser he observed at a trade show in Vancouver two weeks ago were fixed in today's release.

Writing on his blog, Graham Cluley, a senior technology consultant at Sophos, agreed with Wisniewski's assessment. He pointed out that while Apple doesn't assign severity levels to its products' security vulnerabilities, the bugs in its web browser Safari "look pretty critical to me." A majority of the 62 bugs can be exploited just by a user visiting a maliciously crafted website, he wrote.

A good enough reason to install the update, Cluley advised.

"There is no reason to panic," Wisniewski said. "But when the patch is out, do the right thing."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.