In one of its largest security updates this year, Apple has announced a series of patches for its Mac OS X to address more than 60 vulnerabilities, some of which could enable malicious hackers to remotely hijack Macintosh computers.
“Nearly every component of Apple's OS and its applications are touched by security-related fixes in the latest massive update from Apple,” said Andrew Storms, director of security operations for nCircle, a network security firm, in an email to SCMagazineUS.com. “This is a real wakeup call for everyone that has been touting the Mac OS as more secure than Windows.”
The updates, released Tuesday, included patches for Apple's Safari browser for both the Mac and Windows platforms.
Many of the vulnerabilities were in open-source code used with the Mac, such as Apache Web server and WebKit (part of Safari). An input validation issue in Apache's handling of FTP proxy requests could result in a cross-site scripting attack if a user visited a malicious website via an Apache proxy, Apple said.
Also, Apple patched a request forgery issue in Apache. “A user who can publish files with specially crafted names to a web site can substitute their own response for any web page hosted on the system,” the advisory said. “This update addresses the issue by escaping filenames in content-negotiation responses.”
Regarding the fix for the open-source WebKit software, the Apple advisory said that without the patch, “visiting a maliciously crafted website may lead to arbitrary code execution.”
“As we have seen in the past with both OSX and the iPhone,” Storms said, “attackers utilize public disclosure of open source application vulnerabilities to find holes in Apple products.”
Among other fixes included in this update are patches for an unchecked index issue in the OS kernel's handling of work queues, which may lead to an unexpected system shutdown or arbitrary code execution with kernel privileges. The update addresses the issue through improved index checking.
Another issue fixed could have let a remote user cause an unexpected system shutdown. Specifically, when IPv6 support is enabled, an implementation issue in the handling of incoming ICMPv6 "Packet Too Big" messages could cause an unexpected system shutdown. The update addresses the issue through improved handling of ICMPv6 messages.
With another patch, Apple fixed a BIND susceptibility to spoofing attacks if configured to use the DNS Security Extensions (DNSSEC). “On systems using DNSSEC protocol, a maliciously crafted certificate could bypass the validation,” the advisory said, “which may lead to a spoofing attack. The update addresses the issue by updating BIND for OS X.”