Apple releases OS X security patches

Apple Computer has issued "highly critical" security updates to address more than a dozen vulnerabilities in its Mac OS X operating system.

Apple released on Tuesday security patches for Mac OS X 10.4.3, otherwise known as Tiger, as well as Mac OS X 10.3.9, dubbed Panther, according to the company's advisory.

Thirteen security flaws were found in areas related to the Apache 2 Web server, curl technology and the Safari browser. The vulnerabilities ranged from potentially letting an attacker launch a denial-of-service attack to taking control of a person's system remotely.

"The most severe of these are the vulnerabilities found in curl and the PCRE library used by Safari," said Thomas Kristensen, chief technology officer for security site Secunia, which rated Apple's updates as "highly critical"--the second-highest danger ranking.

A large number of applications could be affected by the vulnerability in the PCRE library used by Safari's JavaScript engine, Kristensen said. People who inadvertently click on a malicious Web site with their Safari browser could find the flaw exploited, leading to a remote execution of code on their system.

A flaw in Apple's curl technology, which is a library frequently used to download large files and pass them along, could be exploited if visiting a malicious Web site. The site, once detecting curl technology is present on a user's system, can take advantage of the security flaw, Kristensen said. That could result to a remote execution of code on a computer.

One security flaw addressed in the update involves a boundary error found in WebKit. This marks the second time in four months that Apple has addressed a flaw in WebKit, Kristensen said.

This latest flaw could let an attacker launch a buffer overflow, or denial of service attack, that could also lead to a remote execution of code and control of a person's system. The earlier flaw in WebKit dealt with the handling of PDF documents.

The new Mac OS X patches follow one issued earlier this month by Apple to address vulnerabilities in four areas of its operating system.

Apple was not available for immediate comment.

[kingofgods]

uh oh

Boy...those patches are starting to add up. Soon OSX will be up there with the "inferior" Windows......lmao

[Jac Koff]

How many times have you patched windows???????

Let's face it we all have to patch any os we use. As a sys admin for
Windows, OSX, and Linux I've had to patch them all. Always have
and unfortunately always will.....

[CharlesRovira]

Uh, I don't think that's possible.

And I'd already downloaded and installed the patches as soon as I'd heard that it was available (Otherwise, I'd have waited until Sunday when OS X Software Update usually runs.)

I can't say that for my wife's Win2k machine. The patches to that 'roto-rooter' broke iTunes with some form of DLL hell error when it eventually loaded some patches a while back.

Apple's packaging and the whole underlying OS is just designed and implemented better.

[FutureGuy]

Win2k???

Just an FYI, Win2k is now half a decade old. I have had 0 issues with XP.

[Christopher Hall]

Vulnerabilities?!

Clearly the article is mistaken. OSX is a virtual bastion of defense; it is entirely impenetrable.

[Tanjore]

Hope your comment was sarcastic!!

Hope your comment was sarcastic!!

[FutureGuy]

Patches for Apple ??? No way!!!

This reminds me of some bold comments by some Apple fans that OS X has ZERO vulnerability. Patches are reserved for MS stuff; Mac, Linux etc have perfect code, they could never need any patches. Wonder where those fanboys are now. Dont reply to this stating the Windows has more patches, we all know that, Windows also has a few hundred time more hackers trying to poke holes into. More patches doesnt mean more holes, it just means more known holes. Mac, Linux and the likes have atleast as many bugs are Windows.

[rfelgueiras]

there is a difference&

Apple patches vulnerabilities before any exploitation, Microsoft
patches windows after attacks have been made. No OS will EVER be
100% secure as long as hacker experience and tools evolve,
however, all you need to do is compare number of vulnerabilities to
the number of exploits in the wild and the truth will rise to the top
with that ratio. It's not just about how many vulnerabilities there
are, it's how many of them are exploited. That can't be rationally
denied.

[NeverFade]

Of course

there had always been patches for OSX. For 5+ years since OSX
was released there have been patches. That's how a product
evolves, dear boy.

There still have been no viruses - I think you are mixing that
comment up with the patches comment. Apple has to keep
vunerabilities closed just like windows tries to as well.

[vchmielewski]

Can you hear yourself?

Do you have any idea how ridiculous you sound? Some how, in
your mind, you have equated a few proactive patches with
thousands of existing exploits. This argument is so dumb, I'm not
even going to try bother addressing it directly. I can only assume
that you are looking for some rationale to jusity why you continue
to use an OS that you know sucks. The "grass is dead on the other
side too" mentality I guess.

[Bill Dautrive]

Be serious

No one has ever said OSX and Linux are perfect. There is no way you know much about computers, since you claim to be a programmer, let me guess, VB? As is VB is a legit programming language.

Windows is easy to hack,the only way to make it reasonalby safe is to unplug it from the internet, that is not the case with *nix. Hacking those systems actually takes some skill.

[Norseman]

Incidents, incidents, incidents!!!

Every OS has vulnerabilities. But what's counts is how many
INCIDENTS of worms, viruses, trojans, etc. an OS experiences. As
far as I know, OS X still has experienced zero incidents, including
all the users who have not been diligent about doing the security
updates. The *nix core of OS X was designed from the beginning
with security in mind, and it shows!

[FutureGuy]

read the artical

You seem to blinded to even read the artical. The artical states "That could result to a remote execution of code on a computer. ". Execute code means execute code period. Why are there no worms, no one bothered to write one, that's why. It's not the magical, supernatural "core" of OS X that's preventing it.

[uparrow]

re:

Its also worth noting that Microsoft have far more 'people' identifying these holes than Apple yet they still manage to plug holes before anyone exploits them.

[SystemsJunky]

The Ten Commandments

1. Thou shalt not be heterosexual
2. Thou shall not use Microsoft Products
3. Thou shalt not use anything else but apple products.
4. Thou shalt not take SJ's name in vain
5. Thou shalt covet thy neighbors PC's and throw up thy useless dribble on all who oppose thy view.
6. Thou shalt bend over and take it from SJ while he uses sandpaper with no questions. Thou shall feel delighted to : "take it like a man" in the rear and in the pocket book.
7. Thou shall flock from thy homes and offices to be slaughtered like cows.
8. Thou shall never play a "video game"
9. Thou shalt never question Apples authority
10. Thou shalt ever see anything past the Mac and thou shall be blind to all else. Thou shall be completely closed minded.

[SystemsJunky]

One more thing

Apple OS X Is da bomb and <<<you>>>> fools could never see the real power behind the almighty and powerful steve jobs. He has single handedly created the Heavens, The Earth, you and I, and all that you see, He knows everthing and someday you will learn to take it freely, as I have. Although you are but specks of poo in the underwear of him, you should be patient, because he will come again. This time to demolish the world with XCode Tools(r).

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA

MWHAHAHAHAHA


using System.Sarcasm.Not

if else

System.Dribble.Start

[Earl Benser]

In other words, ......

.... somebody let you out of your cage again. At least, you have yet
to write anything of importance, or even of interest. Consistency
has some value......

[open-mind]

Like Pigs In Poop ....

... stories like this sure make the Apple haters happy.

LOL :-)

Doesn't change the fact that there has still been (AFAIK) zero/zip/nada OS X malware or exploits.

Windows: 20x the market share.
Windows: 20,000x the malware/exploits.

Buy what you like ... that's what I do.

[Christopher Hall]

Whatever helps you sleep at night

Like you don't get any schadenfreude from the Windows stories.

And yet, when you're on the defensive, taking (a sick, to be sure) pleasure in the deficiencies of the competition is deplorable?

All in good fun, Paul, but when the Apple Zealots go bonkers with every announcement of a Windows flaw, you have to expect this sort of thing when the time comes to pay the piper. What is it they say about people in glass houses, again?

[M C]

Have you noticed: Apple finds its own flaws before anyone else does?

Can't say that for MS...

[Hernys]

That's a good thing

since it minimizes the chances of a zero day exploit, but not sure if it's the case. Where's that information (about the vulns being discovered by Apple and not reported to them by someone else) coming? I don't see anything related to that in the article. BTW, about 50% of vulnerabilities fixed by MS are discovered by them, the rest come from third parties.

[The user with no name]

thats because

1) Most people aren't using Apple
1.a) Most people dont care about Apple
1.b) Most exploit hunters fall in one of the above categories
2) FanBoys don't post exploits they quietly email them to Apple so that they can continue to say how Apple has no exploits and can continue justify the FanBoy experience
3) I dont care anough to continue making points

lol

[bettencourtt]

Excuse Me......

I was told to deliver all these saucers of milk here. Who wants to sign for them, please?

[J_Satch]

LMAO!!!

nuff said

[Nunya Bidnez]

FanB0yz achtung!

This article says it best, ends with "There are some people that
feel that, if they are running Mac OS X, then all is well,"
Dhamankar said. "That is no longer true." (The Register®):

<a class="jive-link-external" href="http://www.theregister.co.uk/2005/12/01/secfoc_macos/" target="_newWindow">http://www.theregister.co.uk/2005/12/01/secfoc_macos/</a>

Some arguments put forth in this thread debunked.

Systems Admin for both Mac &#38; Windows, agnostc: all OS's have
strengths &#38; weaknesses ;-)

[Bill Dautrive]

not debunked

Just because it is published, doesn't make it true.

[technewsjunkie]

Windoze apologists are in denial

No, I am not saying they don't have problems.
No, I am not saying they don't have vulnerabilities.

Yes, I am saying they are more secure, inherently by design and no, not solely because of market share.

[technewsjunkie]

OS X, Macs that is

OS X, Macs that is

[Thomas, David]

Apple Fixes before Problem, and Its News?

Come on guys. This is one tactic you have yet to release. I got the updates the same time you and the rest of the world did. Guess what, to my knowledge, these are all un-exploited areas, that are being updated.

The ONLY NEWS HERE, and it is OLD NEWS, is that Apple fixes potential problems BEFORE THEY HAPPEN.

YOU HAVE FAILED TIME AND TIME AGAIN TO EVEN MAKE THIS THE POINT. GUESS WHAT, IT IS THE ONLY POINT THAT EVEN MATTERS IN THESE STORIES.

YOU SUCK

[Christopher Hall]

You've found the root of the problem

Security exploits are only a problem when people don't patch their systems. My Windows box has auto-update turned on and guess what? I've never had a security problem, malware, virus, or the like!

Shocking, I know, especially if you pay any attention to any of the Mac Zealots who seem to think that all Windows machines are spyware infested, security hole-ridden computers ripe for the hacking. Of course, they all call me a liar, but people tend to do that when they don't want to face reality.

:)

[Norseman]

Here's a dandy little feature, PC fans

Microsoft now has a "Windows Live Safety Center" (Beta), where you can click a button to get a "Full Service Scan" of your computer. It says it scans for bad stuff and cleans and tunes up your computer.

<a class="jive-link-external" href="http://safety.live.com/site/en-US/default.htm" target="_newWindow">http://safety.live.com/site/en-US/default.htm</a>

Does it seem strange to anyone that Microsoft can scan and change what's on your computer ONLINE??? And if Microsoft can do it, how hard would it be for ANYONE to do it?

I hit the "Full Service Scan" button and got the message, "Whoops. The scanner doesnt work with your Web browser or operating system." In my book, that's the best security news you can get!

[Buckeroo]

APPLE: PAY MORE, STILL JUST LIKE WINDOWS

Common sense of even a child:
-Apple has many flaws , like iTunes, OS X holes.
-Apple OSX costs around $140--so does Windows
-Another verion of OSX is released every 3 months--Windows is released only every 2 years. So, Windows costs less.
-Windows has around 90% of the market, so 90% of hackers target windows.
-Mac has only 7% of hackers, if any; and there are dozens of security holes already. Imagine how many would be there is mac was as widely used as Windows.

My point: Macs cost more, hardware is expensive and propriatery, and we still get a product which is no better than Windows. Mac Sucks.

[Earl Benser]

Most children,,,,

... are smarter than this, even if only four or five years old.

[Buckeroo]

I agree.

I simply agree, nothing like Apple's mentality.

[pspenard]

Obviously you don't use OS X

I have been in computing since 1986, using DOS, then Windows
up until this day. I started using OS X on a Mac when it first
became available in 2001. Since that time, OS X has become a
solid piece of software. Many applications, including Microsoft's
Office run better on OS X. It is much more stable and robust. It is
designed with *NIX, BSD to be exact, under the hood. As any
software system that needs to communicate with programs and
other parts of it's own code, there will ALWAYS be holes to
patch. It's the nature of software when there is a trust factor that
is violated by a few bad apples (no pun intended). In order for
code to communicate in the programs and with the operating
system and to cooridinate with use over a public internet, this
will happen. The difference between Microsoft and Apple is that
the code in OS X is designed from the ground up, where as in
Windows, it's a continued patch of bad code over more bad
code. That's the reason for the larger vulnerabilities and
unrealiability. To this day I still use Windows and write programs
in Windows only environments and would rather work in the OS
X environment if I could. To state that Macs "suck" as you put it,
just shows how little you know. You must still be a kiddie in
school or someone with very little advanced computer
knowledge. As you grow older you will learn to choice your
words more wisely, so when you have to eat them later they will
go down much easier.

[Jon N.]

Right on, Paul!

Code is code, but like Guinan, a character in Star Trek:TNG said in the episode 'The Best Of Both Worlds, Part 2',"The Borg have Picard. If he wrote the book, then that means you have to throw the book away! Start over." When hackers, crackers, &#38; black hats (The Borg) stole source code from MS Windows(Picard), &#38; made viruses &#38; worms so leathal that it would literally &#38; physically destroy computers,(i.e., The Hare Krishna Virus &#38; computers in S. Korea) then it was time to "Throw the book away" and start over. You are right on, Paul, when you say that Windows is bad code on top of bad code. It wasn't originally bad code, but "comprimised code" would be a better way of saying it. So we can say that Windows has been "assimilated" by the "Borg". Now, Uncle Billy wants to put *NIX like root password functions &#38; permissions on top of that bad, comprimised, "assimilated" code in Vista! That's like telling the best safe cracker in the world, "I've just put 1 Billion U.S. in Fort Knox, no gates, no walls, no guards. Just a big combination safe door in front of it". Just the challenge alone, would bring thousands of safe crackers from all over the world scrambling to the safes door, just to have a crack at it! Yes, in any operating system, there will always be oscillations in code &#38; us, trying to protect our machines from the collective "Borg" by patching &#38; re-working the code...ANY code.
But, if the source code has been comprimised (and in Windows it has been - big time!), Then it's time to throw the book away &#38; start over. Apple did just that. They suffered initially for doing it, also. When they rebuilt their OS, most of the older MAC programs didn't work any longer, &#38; users initaially took their business &#38; their computing dollars elsewhere. What does Uncle Billy do when some borg-like cracker exploits his code &#38; wreaks havoc? Does he prosecute them to the fullest extent of the law? No. He gets them a position at Microsoft. Want a nice, cozy position at Microsoft? Exploit his code, &#38; destroy hundreds of thousands of on-line lives! Then the employment application form will be right there waiting for you! He might even send it to you postpaid! OS-X, Linux, Solaris, Unix, BSD. There are more secure alternatives...

[eagle95]

Uhhhh

If you go to Ebay, they actually post that they use Sun Solaris OS to
power Ebay. They also use Java.

[jbspeer]

Flawed Patch Job...

The recent 20-pack security updates apparently corrupted/
deleted the Info.plist file associated with the Mail.app Package.

The problem I experienced was that Mail wouldn't do anything
when I tried to launch it -- the dock icon would bounce 3 time
and then Nothing! Subsequent clicks got only one bounce.

This was right after installing the recent slug of 20 security
updates. Some digging (I don't even know what an Application
Package is) got the following error in Terminal:

2006-03-05 11:53:09.257 Mail[268] No Info.plist file in
application bundle or no NSPrincipalClass in the Info.plist file,
exiting

Indeed, the Info.plist file wasn't in the Package. After replacing
the Mail.app file in my Applications folder with a backed up
version the Info.plist was restored and the programs appears to
be working.

[Jon N.]

Oh, Please people. Let's keep it REAL!

First things first. OS-X is a great system that has excellent security protocols. But so does Linux, &#38; Solaris. Microsoft is everywhere, especially in the office! Microsoft is playing catch-up with the security protocols, and Linux is just beginning to experience programming standards. The new "Vista" OS is going to have the same security protocols that OS-X, Linux, &#38; Solaris have. Isn't open source great?! You call it root...Microsoft will call it Administrator. Better late then never. I hope they can keep the cost of the new OS down below $130. Have you seen the screenshots? It looks like they swiped the desktop from a Linux KDE SUSE system! Apple is beginning to see that the next wave of cyber-terrorists &#38; black hats will be targeting their systems as well. Though, I feel that it would be extremely difficult to do. Nothing is impenitrable. No ship unsinkable! Remember 4/15/1912? Well, if the roles were reversed &#38; if Apple had 90% market share (and with all the flavors of Linux out there, I see that number as generous for M$)&#38; M$ Windows had 4%, (I think that for Apple, this number is an underestimation)then I agree that the cyber-thugs out there would be more apt to go for Apple's throat! For some strange reason no matter how ya slice it, someone is always gunning for the guy or gal on the top! A smaller market share with a smaller consumer base = more time for better code, better implimentation as well as more R&#38;D time. I still think that since Apple is switching to Intel chips, that they should fire the first salvo of code directly at Microsoft and make an OS-X for the Intel/AMD machines that are already out there. Oops! There I go, dreamin' again!

[Bill Dautrive]

re

"The new "Vista" OS is going to have the same security protocols that OS-X, Linux, &#38; Solaris have. Isn't open source great?! You call it root...Microsoft will call it Administrator."

XP was supposed to also, in fact they do have an Administrator, problem is it was implemented in a half-assed way. Vista is not only coming to the party years late and underfeatured, but it will still hang on to "features" that cause windows to degrades over time(no other OS degrades, only windows) and cause security issues(aka the registry,activeX, ect). There inclusion might make for better backwards compatibility, but at a high cost of security and performance issues.

As for the rest of your uninformed post, read Johnny Mnumonics reply.

[Jon N.]

The uninformed thank you!

Look. I don't have a Masters in computer technology, nor a B.S. in computer science or programming. I am only going by my experiences as an end user. I was into computers (a TRS-80 Model I) back in 1980. To those that are more proficient (if not more educated) great! Rock on! But to slam a person for not having all the data concerning a subject is just being an intellectual elitist! There are many out here in cyberspace that are hoping for a resolution to the XP problem, &#38; trying to find alternatives. I feel that any suggestions or input can be helpful, if it's given in a spirit of information &#38; education. Those of you that slam the uninformed for chiming in, ought to be ashamed at yourselves! You were once a greenhorn newbie, too!
And to all the uninformed in cyberspace,
Your Welcome!
Jon N.

[Johnny Mnemonic]

Incorrect Assumptions...

Linux/Unix is a 30 some year old system. It has
POSIX, which is the Portable Operating System
Interface. C was developed for UNIX in order
to more easily port it to another platform.
The primary Internet protocols were developed on
a UNIX system. When it comes to standards, Linux
and UNIX based systems are the leaders. Rather,
Microsoft tends to "embrace and extend". It takes
a open standard and closes it.

Regarding your statement about the more popular
platform being a larger target...
Perhaps the most oft-repeated myth regarding
Windows vs. Linux security is the claim that
Windows has more incidents of viruses, worms,
Trojans and other problems because malicious
hackers tend to confine their activities to
breaking into the software with the largest
installed base. This reasoning is applied to
defend Windows and Windows applications. Windows
dominates the desktop; therefore Windows and
Windows applications are the focus of the most
attacks, which is why you don't see viruses, worms
and Trojans for Linux. While this may be true, at
least in part, the intentional implication is not
necessarily true: That Linux/UNIX and Linux/UNIX
applications are no more secure than Windows and
Windows applications, but Linux/UNIX is simply too
trifling a target to bother attacking.

This reasoning backfires when one considers that
Apache is by far the most popular web server
software on the Internet. According to the
September 2004 Netcraft web site survey, 68% of
web sites run the Apache web server. Only 21% of
web sites run Microsoft IIS. If security problems
boil down to the simple fact that malicious
hackers target the largest installed base, it
follows that we should see more worms, viruses,
and other malware targeting Apache and the
underlying operating systems for Apache than for
Windows and IIS. Furthermore, we should see more
successful attacks against Apache than against
IIS, since the implication of the myth is that the
problem is one of numbers, not vulnerabilities.

Yet this is precisely the opposite of what we
find, historically. IIS has long been the primary
target for worms and other attacks, and these
attacks have been largely successful. The Code Red
worm that exploited a buffer overrun in an IIS
service to gain control of the web servers
infected some 300,000 servers, and the number of
infections only stopped because the worm was
deliberately written to stop spreading. Code Red.A
had an even faster rate of infection, although it
too self-terminated after three weeks. Another
worm, IISWorm, had a limited impact only because
the worm was badly written, not because IIS
successfully protected itself.

Yes, worms for Apache have been known to exist,
such as the Slapper worm. (Slapper actually
exploited a known vulnerability in OpenSSL, not
Apache). But Apache worms rarely make headlines
because they have such a limited range of effect,
and are easily eradicated. Target sites were
already plugging the known OpenSSL hole. It was
also trivially easy to clean and restore infected
site with a few commands, and without as much as a
reboot, thanks to the modular nature of Linux and
UNIX.

Perhaps this is why, according to Netcraft, 47 of
the top 50 web sites with the longest running
uptime (times between reboots) run Apache. None of
the top 50 web sites runs Windows or Microsoft
IIS. So if it is true that malicious hackers
attack the most numerous software platforms, that
raises the question as to why hackers are so
successful at breaking into the most popular
desktop software and operating system, infect
300,000 IIS servers, but are unable to do similar
damage to the most popular web server and its
operating systems?

Food for thought.