Apple patches a batch of Mac OS X flaws

Apple Computer on Tuesday released 20 patches for its OS X operating system designed to fix flaws that could catch users off-guard.

The vulnerabilities apply to Mac OS X v10.3.9 and Mac OS X Server 10.3.9, according to Apple's advisory. The announcement comes roughly a month after Apple issued nearly a dozen patches for its Mac OS.

The advisory also falls just days after Apple's much ballyhooed release of the latest version of its operating system, Mac OS X 10.4, widely known as Tiger. The flaws were already addressed in Tiger, so the patches apply only to the previous version, known as Panther.

Security company Secunia on Wednesday rated Apple's OS X flaws as "highly critical." Among the flaws of greatest concern is a vulnerability in the OS X AppKit that relates to the handling of TIFF graphics files.

"If people view a malicious TIFF, it could result in running arbitrary code," said Thomas Kristensen, chief technology officer for Secunia. "TIFF is usually viewed as safe form to view things, so this makes it more critical."

Another issue of concern is an AppleScript flaw. If users visit a Web site and accept AppleScript from that site, they could find it executing different code than they had expected, Kristensen added.

A flaw affecting the Apache Web server, meanwhile, could allow a buffer overflow in the htdigest program, which if used improperly in a CGI application could in turn allow a remote system attack.

Secunia downplayed the Apache flaw.

"Apache is an important bug fix, but it would be unusually difficult to exploit and it would need an unusual configuration," said Thomas Kristensen, chief technology officer for Secunia.

Two vulnerabilities were also found in the operating system's Bluetooth wireless capabilities. One could allow files to be shared without properly notifying the user, while another could be used by a malicious attacker to access files outside the default file exchange directory via the Bluetooth file and object exchange services.

Another flaw could allow directory services to be altered to give privileges to someone who is unauthorized to have them, according to the advisory.

Apple's OS X patch announcement also includes fixes for Finder, Foundation, Help Viewer, LDAP, libXpm, lukemftpd, NetInfo, Server Admin, sudo, Terminal and VPN.

Apple has no fixed schedule for issuing patches. By contrast, Microsoft in late 2003 moved to a monthly release of security fixes, and Oracle has adopted a similar practice, but on a quarterly basis.

Just for the record

Say it ain't so, Joe. So, that was 12 fixes last month, 20 this month & they won't even fix the problems with Tiger until August - hey this is way more secure than Winblows......how ?

I currently use 98SE, XP, OS X and Red Hat - so I'm not a single-OS bigot. But let me once again repeat RULE #1 - ALL SOFTWARE HAS BUGS.

He was a good man, an honest man.

I forsee a huge flamewar in your future... It's sad to see an honest man destroyed so :)

[catchall]

It will be interesting to see

how well Apple can push the patches out, and actually get folks to apply them. It has been one of the big problems for Microsoft. Patches are useless if your user base wont get them or install them.

[Byronic]

Just for the record...

Did you just make up the part about not fixing Tiger until
August (or whatever month you said?) Because the story said
that these minor vulnerabilities had already been fixed.

Maybe you are thinking of a Microsoft news story you just read?
That would be typical for them to wait that long or at least until
after it had been exploited many times (then the patch would
create even worse problems.)

[M C]

And yet Mac OS X is still more secure...

As tested by objective observers.

[MadKiwi]

Perhaps because...

... the patches came out before any exploits were developed in the wild...?

[Sboston]

Interesting

I think it's a wise move to go to monthly updates.

I found the Apple script issue to be very reminiscent of the VBScript issue a while back.

Monthly updates could be less disruptive

I use various vendor software/hardware for security - so sure, unless there's a consistant bug that crashes my machine, I can wait for a quiet time, to schedule a monthly update.

But if M$, Apple etc break down their OS's at a macro functional level & can apply patches in the background, and can guarantee no down time, I'd prefer to get things fixed ASAP. It's just that I don't trust them to make the updates transparent to current machine activity.

[privatec]

Why are they monthly?

Operating on the assumption that Apple releases updates when
it fixes the problems I'd rather have that than a monthly
schedule. Maybe I'm being too charitable of course.

[aemarques]

The usual double standard

So now, because it comes from Apple, monthly updates are a good thing?
Gee, I guess it is just a bad think when Microsoft does it...

[Byronic]

What double standard?

Monthly updates are good. What is expecially good is when the
OS vendor can keep up with all vulnerabilities so well there there
are NEVER any EXPLOITS. Also, most of the vulns are local
exploits, and not network ones, not spyware, not adware, etc...
this is also a GREAT thing WHEN YOUR VENDOR can do this!

[Steve Bryan]

Try reading that article again

Here is the relevant quote:

Apple has no fixed schedule for issuing patches. By contrast, Microsoft in late 2003 moved to a monthly release of security fixes

I hope you don't actually froth at the mouth when reading articles about Apple looking for things to complain about. Just for the record all software will have bugs and vulnerabilities. Most companies, including Apple and Microsoft, will issue patches and updates to address these shortcomings. The company with the better record of avoiding actual exploits is the company with better security. Period. If there are other factors that may contribute to this result, so what? No amount of FUD is going to change actual experience.

[Thomas, David]

I have one request for Tiger

Most users who went out and bought the first release of Tiger
could care less about the VPN issues. Those who know about
will wait to upgrade to Tiger. For me, however, I have one
request.

They introduced an RSS feed screen saver. Its awesome, its
useful, its functional. But why does it limit me to choosing only
one RSS feed for the screen saver?

This new feature is not only aesthetically pleasing, but very
useful, AND i prefer to have my screen saver running full time to
give me useful information that is only a single keystroke away
to read an article. Since I have multiple CPUs, and a KVM switch,
I use my iBook for this feature more as an application rather a
screen saver. Soooo ... PLEASE CHANGE the RSS feed screen
saver to support multiple selection of RSS feeds.

FYI, my network of computers don't use a VPN so I had no
problem with installing Tiger on my two macs. My 2003, 2000
and XP machines all play nicely with my mini-mac and ibook.

[Jon Skillings]

Correction on update schedule

The original version of this story was incorrect about the frequency with which Apple issues patches. The company has no fixed schedule for releasing security updates for its software.

[M C]

More CNet flaws found -- no patches in sight.

CNet is fast becoming my favorite humor site, the way they make a concerted effort to spin the facts.

In this article, "Apple released 20 patches" (in reality, one update) with the details explained in an "advisory" (in fact the ReadMe for the update).

The flaws could "catch users off-guard" (in fact, no one has seen even the very first instance of a user being "caught off-guard" by a security issue on the Mac).

And three paragraphs are taken up with threats of an "attack" due to an Apache issue ("ALERT! YOUR MAC WEB SERVER IS TOAST!!"), but even Secunia, who makes their living by making people fearful of security issues, pretty much says this one is a non-issue. (Of course, in CNet-speak, they "downplayed" it.)

Then, one of the greatest fact-twists of all: CNet implies that by having "no fixed schedule" for patches, Apple is less responsible than Microsoft or Oracle, when in fact Apple has issued patches MORE frequently than either, when needed.

This kind of stuff is done by enough writers to lead one to believe that CNet tells them to write stories this way. Notice that Mac stories are usually in the "Most Popular Headlines."

[Thomas, David]

In Defense of CNET

In fact, I am only defending them on one issue.

For some reason, any story regarding Apple is read
overwhelming number of CNet readers. Secondly, they almost
always generate the most comments.

Because of this, it can be easy to argue that CNet would always
put a "twist" in a story regarding Apple. In fact, just to include
any popular Mac product in a headline, generates a lot of links
being selected, and comments posted to it.

Bottom-line, the stories with the most hits, and comments are
placed in the "Top" headlines. There is nothing nefarious about
the one, single point. Though I do wonder about the rest of
what you pointed out. ;-)

Reply

I am repling this history.. dã