Apple fixes dozens of holes with OS X security update

Apple released a Mac OS X security update on Thursday that contains fixes for more than two dozen vulnerabilities, including one in Safari RSS that could lead to arbitrary code execution and one in Remote Apple Events that could disclose sensitive information.

Also fixed are a vulnerability in AFP Server that could trigger a denial of service and vulnerabilities in Apple Pixlet Video, ClamAV, CoreText, Python, SMB, and X11 that could lead to arbitrary code execution. Another fix closes a hole in Printing that could allow a local user to get system privileges and one in DS Tools that could expose passwords to other local users.

Security Update 2009-001 can be obtained from the Software Update pane in System Preferences or Apple's Software Downloads Web site.

Apple also on Thursday released Safari 3.2.2 for Windows, which fixes a vulnerability that could allow execution of arbitrary JavaScript in the local security zone. That update is also on Apple's download site.

[8301]

Oh, joy! I can't wait to hear Apple and Windows fanboys discuss this recent update in a civil and reasonable manner!

[Penguinisto]

Me too - after all, everyone patches once in awhil- whoops, I see that john55440ms-shill already ruined it.

[Vegaman_Dan]

Penguinisto:

Wow. Just.... wow. How very very sad.

[sciontcya]

Installed with no drama thus far.
A security update - imagine, an OS has holes?
Wow.
Yep, let the fanboyz come in and ruin yet another page.

[john55440]

Buy a PC. (grin)

The Mac has "security though obscurity", but Apple programmers really are security incompetents.

[pmchefalo]

Absolutely correct. The current statistics are security by obscurity copletely, as shown by the article at the link below, where two malware writers scoff at the idea of attacking anything except the highest market share platform.

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

[His SHadow]

Thanks for the nonsense. Continue to wallow in ignorance. If continued updates and ZERO bona fide security issues is "incompetent", then what terminology could *possibly* be strong to describe the jackasses at Microsoft?

[myles taylor]

And so it begins......^

[solu1978]

OMG .. holes

[jessiethe3rd]

Who's counting - Vista has less holes than OS X by far...

[protagonistic]

And yet another person who has no clue speaks. You might want to rephrase that and say known holes. But then OS X has been around a lot longer than Vista has.

[Vegaman_Dan]

Good to hear of new updates fixing security holes in the OS.

Any OEM that takes responsiibility for their product in such a manner has my approval.

[kcotham]

Will you people please get a f$@%$#%g life!?

[retrosteve]

Ok, I'll be the Mac fanboy.
Maybe someone should calculate, for each MacOS vulnerability and each PC vuln, how many computers (by percentage out there) were infected / compromised using that vuln before it was announced, and how many after. Use the data from any reputable security firm.

Just a table something like:
Vuln Platform % Compromised before patch % Compromised after patch
1 PC 10 30
2 PC 20 40
3 MacOS 0 0
4 MacOS 2 3
etc....

I think this might give some idea what's going on in real life.

[s1rf]

How does that explain what goes on in real life? If PCs have 80+% of the market just by sheer numbers alone, you would expect to see these stats. The fact that the Mac shows up in the table would be of concern to me given the market share.

[tm_anon]

@s1rf

Read the OP again. His numbers were percentages of those who use the OS. I'll dumb it down for you if you need to.

1 PC 10% 30%
2 PC 20% 40%
3 MacOS 0% 0%
4 MacOS 2% 3%

As in, for every 100 people using an OS, that many peoples computers were effected.

[pmchefalo]

Security by obscurity is no reasonable argument. Read the article at the link below and UNDERSTAND why the exploits are in one direction. NOT superior engineering, but poor market share.

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

[tm_anon]

@pmchefalo

When does Apple patch security holes? When does Windows patch security holes? When does Linux patch security holes?

You'll have a ready answer for only one of those three questions and that is one of the many reasons Windows is so insecure. Linux patches holes as they are found. Apple does roughly the same thing. Windows patches on Patch Tuesday.

We're not talking about the FUD called "security through obscurity", we're talking about a better security model and a better idea of how to patch any potential security holes.

Before linking an article, just look up security threats and potential security threats, notice how severe those threats are to each system and realize that it doesn't matter what gets said by some lowlife. Windows is just insecure. it's working on getting better, but it's still just insecure.

[s1rf]

@tm_anon

Not sure why you felt the need to "dumb it down" considering I didn't dispute the numbers. If adding the % sign makes you feel more intelligent then by all means use it in every post. I was simply pointing out that this would be a viable comparison if Macs had a similar market share to what it is being compared against. My bet is that when Apples market share doubles we will see vulnerabilities increase by a factor much larger.

[Ebeale]

The almighty has fallen. Apple, your no better than Microsoft.

[Norseman]

Hey, ebeale, would you please refresh my memory about which company is offering $250,000 for information about who started a worm that crawled into their OS and is shutting down companies and even some country's air force?

[Ebeale]

Lets look at how many Apple OS computer the air force is running on mulitiple brands of hardware. When you only have maybe 10% of the market issues like this should be non existant.

[His SHadow]

Good Jebus what drama queen. Tell me, drama queen. How many botnets are running on Mac OS X? Careful, it's a trick question.

[MaLvaDo39]

Still ZERO viruses on my Mac :)
Go run your processor hogging anti-virus programs, Windows users.

[nopinktoday]

*shrugs* With pleasure, doesn't bother me at the least.

On topic: Apple releases security updates once in a while, whats so new?

[pmchefalo]

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

[Mr. Dee]

Where is AppleRocks? Oh, he must be busy trying to boot his Mac that 'Apple' just turned into a dead 'Rock' with these updates.

[Nataku4ca]

lol good god LOL had a good laugh out of this one

[tm_anon]

Surprised you're not too busy checking to see how many dozens of viruses your Windows machine has today to post. Bet you can't wait til Patch Tuesday.

[seven7dust]

it doesn't matter how many holes they r in OSX
it's a fact that in all these years there has yet to be a massive outbreak of viruses/spyware etc

but for Windows users it's a daily affair
just recently there was a Article about how some 9 million Pcs were affected by some Worm

I switched 6-7 month back and ever since then
I've been running my macbook without n e form of protection
and guess wat no Viruses or spyware watsoever !
But on my Desktop PC I use more than 3 different Anti-spyware programs but it still manages to pick them up on a regular basis
and requires constant scans and updates to keep it up and running without problems not to mention anti-virus too

Macs r just safer, less burdening on the user and fun to use
it doesn't matter why or how but it's a fact

[Mr. Dee]

I have been on Windows Vista Ultimate x64 since November 17 2006 and I have not experienced any of the infections reported. Every operating system is susceptible to attack, its just the reality, Windows is in a position where it will be attacked more than others, but doesn't mean, the platform is not secure. If you do common things which Windows does for you automatically like have Automatic Windows Updates turned on, a security utility - you are just as safe as an OS X user. Anyway, it does not make sense explaining this to a Mac user, the over 1 billion Windows users have come to their senses.

[tm_anon]

I ran Windows XP for 6 years with an antivirus turned on as well as having Windows Updates turned on. I got viruses, malware, spyware, etc. I switched to Linux 2 months ago and haven't seen a virus since.

I know friends who use Vista, they've seen viruses and malware and I've read plenty of articles about malware threats for Vista. Windows Updates don't do any good until Patch Tuesday, that's the problem. I update my computer daily while still working because it doesn't make me restart unless there's an update to the kernel itself. Even then, I get the choice of when I restart without having that annoying popup window every 5 minutes reminding me.

Yes, Vista is more secure than XP, that part I'll agree with. Vista is far from being as secure as either OS X or Linux.

As for your number for Windows users, let's see how high that number is by letting the users choose what OS to install rather than forcing Windows onto so many machines. It's increasingly difficult to even buy a used computer without Windows installed. Let's change that and see what happens.

[dream_fly]

My daughter who is only 11 and has been using Vista for more than a year and w/o any anti-virus or anti-spyware program and got over 100 cookie "spyware" when I scanned her PC 2 days ago. She's only armed with the simple cautions. My wife got her first virus a few weeks ago after using her XP w/o any protection for many years. So it's not the PC or the OS, it's the lack-of-common-sense users that got themselves into trouble.

[Wei_Zhu]

Dear ream_fly,

Relax. Your daughter's computer is just fine and does not have any virus :-)
Cookie "Spyware" is a nice little term invented by security companies to scare people to either buy their anti-virus software or install their toolbar, ad-ons, etc. These cookie "spyware" really don't harm your computer. They don't run any code or steal any information on your computer. The only potential thing they do is to help site track the web site that you just visited, but that's just how the web and browsers works. Everything web site (Google, Apple, Microsoft) will track you through cookies.

Oh by the way, the cookie "Spyware" "infects" Mac and Linux equally well because they are just part of standard behavior on browsers. IE and Firefox have the same policy for cookie, while Safari chose to disable third party cookies by default. These are just browser policies, not some security holes.

[wesisw_]

Same amount of burden, just distributed differently. Why would malicious programmers spend the extra effort to make a Mac-compatible virus if they can target more users worldwide by writing it for Windows instead. Windows users, on the other hand, actually have to use common sense while browsing the net. (Gasp, the horror!) Any computer's biggest weakness is user stupidity, which explains why UAC exists (let's just make users OK everything) and why it doesn't work (click Continue out of habit). I've been using Vista and Windows 7, and haven't caught a virus on either OS.

So in conclusion, you have no common sense when it comes to browsing the web, and most malicious developers don't see the benefit of targeting Mac OS.

[pmchefalo]

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

[tm_anon]

@pmchefalo

you've spammed that link in every comment on this page. Do we need to run an antivirus to get rid of you?

[seven7dust]

however you guys try to spin this doesn't matter
Windows Pcs r being affected on a daily basis
but Mac and Linux users r unaffected !
so that by itself proves that windows is not secure
and why even bring marketshare into the picture, who cares ?

But by blaming the user for MSoft's problem is a new low from win fanboys !
we r paying good money to MS so they better learn to get things right !
Sure with a bit of common sense you can prevent spyware and viruses
but it requires Time ,effort and patience !
Why must I subject myself through all that trouble when there r better Alternatives ?

[eltoro2827]

hahahahahahahahahahahahahahahahahaha
crapple at its best

[saffroncapital]

hmmm lets see... Python... not Apple's, but open source... Clam AV... not Apple's but open source... X11... not Apple's either.... so you foam about security holes in Apple's OS when a lot of the holes come from open source software from other players....

Apple does have security holes, just like every other software producer(!!)...

Microsoft has 'patch Tuesday' which everyone in Microsoft land seems to just love... and Apple closes security holes and it gets kicked??? Anyone care to explain how that works??

[His SHadow]

Yes. Let's examine. Microsofts miserable security has allowed for the creation of globe spanning identity stealing botnets which are also handy in extortion driven DDOS attacks , is regularly assaulted by crippling self replicating/distributing viruses and has cost IT departments the world over billions of dollars in the form of constant maintenance and repair.

But Apple practices due diligence in maintaining its OS and that's somehow BAD? Get your head out of your backside, MS fanboys. I'll throw in the free point that anyone counting vulnerabilites as an indication of the security of the respective OSes is a simpleton, as any simple search will overwhelmingly show that the ONLY OS routinely in the news as a threat to users data and productivity is Microsoft's Windows.

And the market share rhetoric? Time to give it a rest. Given that Mac OS 9 had viruses, and it's installed base wasn't very large in the 90s, your market share numerology is invalidated. The simple fact us that the Mac OS is better built from the ground up than Windows. If the numbers are even remotely true, and Windows 94% or whatever market share nets it over 250000 variants of malware and what have you, then by ANY kind of math Mac OS X's 6 to 8 % should have netted itself at the very *least* a few dozen viruses or significant threats. 15000 threats at worst if the market share calculations mean anything.

But despite the Windows Weenies best efforts to pretend otherwise, the reality continues to be this: zero viruses and less than a handfull of trojans (which you have install yourself!) for Mac OS X. None of the carping about Apple and dopey vulnerability counts has changed that fact. Deal with it and move on.

[AppleSuxLeo]

QuickTime...er QuickSand , is proof Apple has incompetent programmers.