Apple releases OS X security patches

Apple Computer has issued "highly critical" security updates to address more than a dozen vulnerabilities in its Mac OS X operating system.

Apple released on Tuesday security patches for Mac OS X 10.4.3, otherwise known as Tiger, as well as Mac OS X 10.3.9, dubbed Panther, according to the company's advisory.

Thirteen security flaws were found in areas related to the Apache 2 Web server, curl technology and the Safari browser. The vulnerabilities ranged from potentially letting an attacker launch a denial-of-service attack to taking control of a person's system remotely.

"The most severe of these are the vulnerabilities found in curl and the PCRE library used by Safari," said Thomas Kristensen, chief technology officer for security site Secunia, which rated Apple's updates as "highly critical"--the second-highest danger ranking.

A large number of applications could be affected by the vulnerability in the PCRE library used by Safari's JavaScript engine, Kristensen said. People who inadvertently click on a malicious Web site with their Safari browser could find the flaw exploited, leading to a remote execution of code on their system.

A flaw in Apple's curl technology, which is a library frequently used to download large files and pass them along, could be exploited if visiting a malicious Web site. The site, once detecting curl technology is present on a user's system, can take advantage of the security flaw, Kristensen said. That could result to a remote execution of code on a computer.

One security flaw addressed in the update involves a boundary error found in WebKit. This marks the second time in four months that Apple has addressed a flaw in WebKit, Kristensen said.

This latest flaw could let an attacker launch a buffer overflow, or denial of service attack, that could also lead to a remote execution of code and control of a person's system. The earlier flaw in WebKit dealt with the handling of PDF documents.

The new Mac OS X patches follow one issued earlier this month by Apple to address vulnerabilities in four areas of its operating system.

Apple was not available for immediate comment.

[kingofgods]

uh oh

Boy...those patches are starting to add up. Soon OSX will be up there with the "inferior" Windows......lmao

[Jac Koff]

How many times have you patched windows???????

Let's face it we all have to patch any os we use. As a sys admin for
Windows, OSX, and Linux I've had to patch them all. Always have
and unfortunately always will.....

[CharlesRovira]

Uh, I don't think that's possible.

And I'd already downloaded and installed the patches as soon as I'd heard that it was available (Otherwise, I'd have waited until Sunday when OS X Software Update usually runs.)

I can't say that for my wife's Win2k machine. The patches to that 'roto-rooter' broke iTunes with some form of DLL hell error when it eventually loaded some patches a while back.

Apple's packaging and the whole underlying OS is just designed and implemented better.

[FutureGuy]

Win2k???

Just an FYI, Win2k is now half a decade old. I have had 0 issues with XP.

[Christopher Hall]

Vulnerabilities?!

Clearly the article is mistaken. OSX is a virtual bastion of defense; it is entirely impenetrable.

[Tanjore]

Hope your comment was sarcastic!!

Hope your comment was sarcastic!!

[FutureGuy]

Patches for Apple ??? No way!!!

This reminds me of some bold comments by some Apple fans that OS X has ZERO vulnerability. Patches are reserved for MS stuff; Mac, Linux etc have perfect code, they could never need any patches. Wonder where those fanboys are now. Don?t reply to this stating the Windows has more patches, we all know that, Windows also has a few hundred time more hackers trying to poke holes into. More patches doesn?t mean more holes, it just means more ?known? holes. Mac, Linux and the likes have atleast as many bugs are Windows.

[rfelgueiras]

there is a difference?

Apple patches vulnerabilities before any exploitation, Microsoft
patches windows after attacks have been made. No OS will EVER be
100% secure as long as hacker experience and tools evolve,
however, all you need to do is compare number of vulnerabilities to
the number of exploits in the wild and the truth will rise to the top
with that ratio. It's not just about how many vulnerabilities there
are, it's how many of them are exploited. That can't be rationally
denied.

[NeverFade]

Of course

there had always been patches for OSX. For 5+ years since OSX
was released there have been patches. That's how a product
evolves, dear boy.

There still have been no viruses - I think you are mixing that
comment up with the patches comment. Apple has to keep
vunerabilities closed just like windows tries to as well.

[vchmielewski]

Can you hear yourself?

Do you have any idea how ridiculous you sound? Some how, in
your mind, you have equated a few proactive patches with
thousands of existing exploits. This argument is so dumb, I'm not
even going to try bother addressing it directly. I can only assume
that you are looking for some rationale to jusity why you continue
to use an OS that you know sucks. The "grass is dead on the other
side too" mentality I guess.

[Bill Dautrive]

Be serious

No one has ever said OSX and Linux are perfect. There is no way you know much about computers, since you claim to be a programmer, let me guess, VB? As is VB is a legit programming language.

Windows is easy to hack,the only way to make it reasonalby safe is to unplug it from the internet, that is not the case with *nix. Hacking those systems actually takes some skill.

[Norseman]

Incidents, incidents, incidents!!!

Every OS has vulnerabilities. But what's counts is how many
INCIDENTS of worms, viruses, trojans, etc. an OS experiences. As
far as I know, OS X still has experienced zero incidents, including
all the users who have not been diligent about doing the security
updates. The *nix core of OS X was designed from the beginning
with security in mind, and it shows!

[FutureGuy]

read the artical

You seem to blinded to even read the artical. The artical states "That could result to a remote execution of code on a computer. ". Execute code means execute code period. Why are there no worms, no one bothered to write one, that's why. It's not the magical, supernatural "core" of OS X that's preventing it.

[uparrow]

re:

Its also worth noting that Microsoft have far more 'people' identifying these holes than Apple yet they still manage to plug holes before anyone exploits them.

[SystemsJunky]

The Ten Commandments

1. Thou shalt not be heterosexual
2. Thou shall not use Microsoft Products
3. Thou shalt not use anything else but apple products.
4. Thou shalt not take SJ's name in vain
5. Thou shalt covet thy neighbors PC's and throw up thy useless dribble on all who oppose thy view.
6. Thou shalt bend over and take it from SJ while he uses sandpaper with no questions. Thou shall feel delighted to : "take it like a man" in the rear and in the pocket book.
7. Thou shall flock from thy homes and offices to be slaughtered like cows.
8. Thou shall never play a "video game"
9. Thou shalt never question Apples authority
10. Thou shalt ever see anything past the Mac and thou shall be blind to all else. Thou shall be completely closed minded.

[SystemsJunky]

One more thing

Apple OS X Is da bomb and <<<you>>>> fools could never see the real power behind the almighty and powerful steve jobs. He has single handedly created the Heavens, The Earth, you and I, and all that you see, He knows everthing and someday you will learn to take it freely, as I have. Although you are but specks of poo in the underwear of him, you should be patient, because he will come again. This time to demolish the world with XCode Tools(r).

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA


using System.Sarcasm.Not

if else

System.Dribble.Start

[Earl Benser]

In other words, ......

.... somebody let you out of your cage again. At least, you have yet
to write anything of importance, or even of interest. Consistency
has some value......

[open-mind]

Like Pigs In Poop ....

... stories like this sure make the Apple haters happy.

LOL :-)

Doesn't change the fact that there has still been (AFAIK) zero/zip/nada OS X malware or exploits.

Windows: 20x the market share.
Windows: 20,000x the malware/exploits.

Buy what you like ... that's what I do.

[Christopher Hall]

Whatever helps you sleep at night

Like you don't get any schadenfreude from the Windows stories.

And yet, when you're on the defensive, taking (a sick, to be sure) pleasure in the deficiencies of the competition is deplorable?

All in good fun, Paul, but when the Apple Zealots go bonkers with every announcement of a Windows flaw, you have to expect this sort of thing when the time comes to pay the piper. What is it they say about people in glass houses, again?

[M C]

Have you noticed: Apple finds its own flaws before anyone else does?

Can't say that for MS...

[Hernys]

That's a good thing

since it minimizes the chances of a zero day exploit, but not sure if it's the case. Where's that information (about the vulns being discovered by Apple and not reported to them by someone else) coming? I don't see anything related to that in the article. BTW, about 50% of vulnerabilities fixed by MS are discovered by them, the rest come from third parties.

[The user with no name]

thats because

1) Most people aren't using Apple
1.a) Most people dont care about Apple
1.b) Most exploit hunters fall in one of the above categories
2) FanBoys don't post exploits they quietly email them to Apple so that they can continue to say how Apple has no exploits and can continue justify the FanBoy experience
3) I dont care anough to continue making points

lol

[bettencourtt]

Excuse Me......

I was told to deliver all these saucers of milk here. Who wants to sign for them, please?

[J_Satch]

LMAO!!!

nuff said

[Nunya Bidnez]

FanB0yz achtung!

This article says it best, ends with "There are some people that
feel that, if they are running Mac OS X, then all is well,"
Dhamankar said. "That is no longer true." (The Register®):

http://www.theregister.co.uk/2005/12/01/secfoc_macos/

Some arguments put forth in this thread debunked.

Systems Admin for both Mac & Windows, agnostc: all OS's have
strengths & weaknesses ;-)

[Bill Dautrive]

not debunked

Just because it is published, doesn't make it true.

[technewsjunkie]

Windoze apologists are in denial

No, I am not saying they don't have problems.
No, I am not saying they don't have vulnerabilities.

Yes, I am saying they are more secure, inherently by design and no, not solely because of market share.

[technewsjunkie]

OS X, Macs that is

OS X, Macs that is

[Thomas, David]

Apple Fixes before Problem, and Its News?

Come on guys. This is one tactic you have yet to release. I got the updates the same time you and the rest of the world did. Guess what, to my knowledge, these are all un-exploited areas, that are being updated.

The ONLY NEWS HERE, and it is OLD NEWS, is that Apple fixes potential problems BEFORE THEY HAPPEN.

YOU HAVE FAILED TIME AND TIME AGAIN TO EVEN MAKE THIS THE POINT. GUESS WHAT, IT IS THE ONLY POINT THAT EVEN MATTERS IN THESE STORIES.

YOU SUCK

[Christopher Hall]

You've found the root of the problem

Security exploits are only a problem when people don't patch their systems. My Windows box has auto-update turned on and guess what? I've never had a security problem, malware, virus, or the like!

Shocking, I know, especially if you pay any attention to any of the Mac Zealots who seem to think that all Windows machines are spyware infested, security hole-ridden computers ripe for the hacking. Of course, they all call me a liar, but people tend to do that when they don't want to face reality.

:)

[Norseman]

Here's a dandy little feature, PC fans

Microsoft now has a "Windows Live Safety Center" (Beta), where you can click a button to get a "Full Service Scan" of your computer. It says it scans for bad stuff and cleans and tunes up your computer.

http://safety.live.com/site/en-US/default.htm

Does it seem strange to anyone that Microsoft can scan and change what's on your computer ONLINE??? And if Microsoft can do it, how hard would it be for ANYONE to do it?

I hit the "Full Service Scan" button and got the message, "Whoops. The scanner doesn?t work with your Web browser or operating system." In my book, that's the best security news you can get!

[Buckeroo]

APPLE: PAY MORE, STILL JUST LIKE WINDOWS

Common sense of even a child:
-Apple has many flaws , like iTunes, OS X holes.
-Apple OSX costs around $140--so does Windows
-Another verion of OSX is released every 3 months--Windows is released only every 2 years. So, Windows costs less.
-Windows has around 90% of the market, so 90% of hackers target windows.
-Mac has only 7% of hackers, if any; and there are dozens of security holes already. Imagine how many would be there is mac was as widely used as Windows.

My point: Macs cost more, hardware is expensive and propriatery, and we still get a product which is no better than Windows. Mac Sucks.

[Earl Benser]

Most children,,,,

... are smarter than this, even if only four or five years old.

[Buckeroo]

I agree.

I simply agree, nothing like Apple's mentality.

[pspenard]

Obviously you don't use OS X

I have been in computing since 1986, using DOS, then Windows
up until this day. I started using OS X on a Mac when it first
became available in 2001. Since that time, OS X has become a
solid piece of software. Many applications, including Microsoft's
Office run better on OS X. It is much more stable and robust. It is
designed with *NIX, BSD to be exact, under the hood. As any
software system that needs to communicate with programs and
other parts of it's own code, there will ALWAYS be holes to
patch. It's the nature of software when there is a trust factor that
is violated by a few bad apples (no pun intended). In order for
code to communicate in the programs and with the operating
system and to cooridinate with use over a public internet, this
will happen. The difference between Microsoft and Apple is that
the code in OS X is designed from the ground up, where as in
Windows, it's a continued patch of bad code over more bad
code. That's the reason for the larger vulnerabilities and
unrealiability. To this day I still use Windows and write programs
in Windows only environments and would rather work in the OS
X environment if I could. To state that Macs "suck" as you put it,
just shows how little you know. You must still be a kiddie in
school or someone with very little advanced computer
knowledge. As you grow older you will learn to choice your
words more wisely, so when you have to eat them later they will
go down much easier.

[Jon N.]

Right on, Paul!

Code is code, but like Guinan, a character in Star Trek:TNG said in the episode 'The Best Of Both Worlds, Part 2',"The Borg have Picard. If he wrote the book, then that means you have to throw the book away! Start over." When hackers, crackers, & black hats (The Borg) stole source code from MS Windows(Picard), & made viruses & worms so leathal that it would literally & physically destroy computers,(i.e., The Hare Krishna Virus & computers in S. Korea) then it was time to "Throw the book away" and start over. You are right on, Paul, when you say that Windows is bad code on top of bad code. It wasn't originally bad code, but "comprimised code" would be a better way of saying it. So we can say that Windows has been "assimilated" by the "Borg". Now, Uncle Billy wants to put *NIX like root password functions & permissions on top of that bad, comprimised, "assimilated" code in Vista! That's like telling the best safe cracker in the world, "I've just put 1 Billion U.S. in Fort Knox, no gates, no walls, no guards. Just a big combination safe door in front of it". Just the challenge alone, would bring thousands of safe crackers from all over the world scrambling to the safes door, just to have a crack at it! Yes, in any operating system, there will always be oscillations in code & us, trying to protect our machines from the collective "Borg" by patching & re-working the code...ANY code.
But, if the source code has been comprimised (and in Windows it has been - big time!), Then it's time to throw the book away & start over. Apple did just that. They suffered initially for doing it, also. When they rebuilt their OS, most of the older MAC programs didn't work any longer, & users initaially took their business & their computing dollars elsewhere. What does Uncle Billy do when some borg-like cracker exploits his code & wreaks havoc? Does he prosecute them to the fullest extent of the law? No. He gets them a position at Microsoft. Want a nice, cozy position at Microsoft? Exploit his code, & destroy hundreds of thousands of on-line lives! Then the employment application form will be right there waiting for you! He might even send it to you postpaid! OS-X, Linux, Solaris, Unix, BSD. There are more secure alternatives...

[eagle95]

Uhhhh

If you go to Ebay, they actually post that they use Sun Solaris OS to
power Ebay. They also use Java.

[jbspeer]

Flawed Patch Job...

The recent 20-pack security updates apparently corrupted/
deleted the Info.plist file associated with the Mail.app Package.

The problem I experienced was that Mail wouldn't do anything
when I tried to launch it -- the dock icon would bounce 3 time
and then Nothing! Subsequent clicks got only one bounce.

This was right after installing the recent slug of 20 security
updates. Some digging (I don't even know what an Application
Package is) got the following error in Terminal:

2006-03-05 11:53:09.257 Mail[268] No Info.plist file in
application bundle or no NSPrincipalClass in the Info.plist file,
exiting

Indeed, the Info.plist file wasn't in the Package. After replacing
the Mail.app file in my Applications folder with a backed up
version the Info.plist was restored and the programs appears to
be working.