Feeds

With one bound, Apple is free of 54 security bugs

Mighty patches

5 things you didn’t know about cloud backup

Apple has rolled out software updates that patch just about everything but the kitchen sink. In all, there are fixes for at least 54 security bugs, many of which could allow attackers to remotely execute code on vulnerable Macs and Windows machines.

A whopping 41 vulnerabilities reside in OS X 10.4, which is better known as Tiger, 1of which 15 could lead to "arbitrary code execution". Buggy components include Safari, Kerberos, CFNetwork, AppleTalk, as well as the OS X kernel itself. The updates also fix a security hole in Apple's version of Adobe's Flash Player. Adobe has offered a update since July, but Apple is only now rolling it into its list of automatic updates.

The patch fest comes less than 48 hours after Microsoft released one of its sparsest monthly security updates in recent memory, with only one rated as critical. It also comes shortly after the discovery of a sophisticated port Trojan that targets Mac users.

"As Apple grows its market share and becomes a more mainstream operating system, there's going to be a lot more interest in it from the whitehats and the blackhats," said Randy Abrams, director of technical education at anti-virus provider Eset. "Apple users are going to have to get used to the same things that Microsoft and Unix users have dealt with for a long time and that's that patches are a fact of life."

A separate patch fixes three vulnerabilities for Leopard, the successor to Tiger that Apple released last month. The fixes appear to be tweaks to improve the security of the Leopard firewall. The patch, for instance, changes the description of one setting from "Block all incoming connections" to "Allow only essential services", so it's clear that mDNSResponder and other services continue to receive connections. Apple has also pared the processes permitted to receive such connections when the setting is turned on.

The Leopard fixes come two weeks after researchers from Heise Security criticized Apple for providing misleading firewall settings in the new OS.

"This is a good step forward in the right direction," Juergen Schmidt, Heise's editor-in-chief, said of the change. "I really appreciate it, that Apple did not take the smallest possible step to only change the name from "Block all" to "Allow only essential" but also drastically reduced the attack surface by allowing only a limited number of documented services to be reached."

By default, OS X is set to automatically check for the updates and prompt users to install them.

Apple also issued patches to plug 10 holes in the beta version of Safari for Windows. XP or Vista users who have installed the Apple software update application should receive a prompt to install the update. They can also do so manually by visiting this page. ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.