Apple Releases 31 Year End Patches
The latest round of updates was the largest so far this year, covering more than 40 detected vulnerabilities. Apple has issued a total of nine security updates in 2007 encompassing about 200 bugs. Security professionals recommend that users install the newly released updates as soon as possible, particularly emphasizing the need to repair any vulnerability remotely exploitable over the Web.
"This was a huge batch of patches," said Jon Orbeton, strategic product manager for IronPort. "The going theory is as the user population of Apple continues to increase they become a more significant target for the attackers."
The Max OS patches address components that range from widely used items such as the Address Book, iChat and Flash Player Plug-in, to lesser known elements, such as ColorSync, the IO Storage Family, and the Perl, Python and Ruby programming languages.
All patches encompassed vulnerabilities in Core Foundation, CUPS, Flash Player Plug-in, Launch Services, Perl, Python, Ruby, Safari, Samba and Shockwave Plug-in.
Patches affecting the Leopard, or 10.5.1 operating system, also fixed vulnerabilities found in CFNetwork, QuickLook and Spin Tracer. Meanwhile, updates that affected Mac's Tiger, or 10.4.11 operating system, patched vulnerabilities in Address Book, ColorSync, Desktop Services, SMB, Spotlight, IO Storage Family, Mail, iChat, Gnu Tar, tcpdump and XQuery.
Security experts maintain that some of the most serious flaws were those affecting the Safari browser. The patch issued for Apple's Safari 3 beta code, running on Windows as well as Mac OS X, addressed a flaw that had given criminals the ability to access sensitive or identifying information in a cross-site scripting Web based attack. A two-pronged attack could be deployed when a user reached a malicious Web site by clicking on an infected link sent to them via e-mail.
"That's one of the trends we've seen, where a large majority of the attacks are taking place by simply sending someone a link in an e-mail," said Orbeton. "Simply by viewing the page, you could infect yourself."
Security researchers also contend that the vulnerability detected in Gnu Tar, a program which allows users to consolidate multiple files in order to send them over the Internet, could also be serious due to the fact that it allowed a remote attacker to overwrite arbitrary files by enticing a user to extract a maliciously crafted tar file.
"It lets you rewrite anything on that system, or just add in data to give yourself," said John Bambenek, security handler at SANS' Internet Storm Center and research programmer at the University of Illinois. "Assuming that an attacker was clever enough to do this," he added.
While Apple does not designate its patches by their level of seriousness, at least half of the detected vulnerabilities could feasibly result in a serious exploit in which a remote attacker executes arbitrary code to take complete control of a machine or to shut down the affected system.
The new round of patches came just days after a major update to Apple's QuickTime Player, on which a significant exploit was discovered last month for both Mac and Windows platforms. While the latest round of patches might seem large in contrast to previous updates, the total number for this year is comparable to that of other companies like Microsoft because, unlike the Redmond, Wash.-based software giant, Apple doesn't maintain a regular monthly update schedule. Instead, Apple tends to bundle repairs together and release them sporadically throughout the year, which security experts say could open the company up to destructive attacks in the future.
"Apple sends stuff out when they send stuff out," said Bambenek. "I don't think it's going to change until they get burned."