Feeds

With one bound, Apple is free of 54 security bugs

Mighty patches

5 things you didn’t know about cloud backup

Apple has rolled out software updates that patch just about everything but the kitchen sink. In all, there are fixes for at least 54 security bugs, many of which could allow attackers to remotely execute code on vulnerable Macs and Windows machines.

A whopping 41 vulnerabilities reside in OS X 10.4, which is better known as Tiger, 1of which 15 could lead to "arbitrary code execution". Buggy components include Safari, Kerberos, CFNetwork, AppleTalk, as well as the OS X kernel itself. The updates also fix a security hole in Apple's version of Adobe's Flash Player. Adobe has offered a update since July, but Apple is only now rolling it into its list of automatic updates.

The patch fest comes less than 48 hours after Microsoft released one of its sparsest monthly security updates in recent memory, with only one rated as critical. It also comes shortly after the discovery of a sophisticated port Trojan that targets Mac users.

"As Apple grows its market share and becomes a more mainstream operating system, there's going to be a lot more interest in it from the whitehats and the blackhats," said Randy Abrams, director of technical education at anti-virus provider Eset. "Apple users are going to have to get used to the same things that Microsoft and Unix users have dealt with for a long time and that's that patches are a fact of life."

A separate patch fixes three vulnerabilities for Leopard, the successor to Tiger that Apple released last month. The fixes appear to be tweaks to improve the security of the Leopard firewall. The patch, for instance, changes the description of one setting from "Block all incoming connections" to "Allow only essential services", so it's clear that mDNSResponder and other services continue to receive connections. Apple has also pared the processes permitted to receive such connections when the setting is turned on.

The Leopard fixes come two weeks after researchers from Heise Security criticized Apple for providing misleading firewall settings in the new OS.

"This is a good step forward in the right direction," Juergen Schmidt, Heise's editor-in-chief, said of the change. "I really appreciate it, that Apple did not take the smallest possible step to only change the name from "Block all" to "Allow only essential" but also drastically reduced the attack surface by allowing only a limited number of documented services to be reached."

By default, OS X is set to automatically check for the updates and prompt users to install them.

Apple also issued patches to plug 10 holes in the beta version of Safari for Windows. XP or Vista users who have installed the Apple software update application should receive a prompt to install the update. They can also do so manually by visiting this page. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?