Feeds

With one bound, Apple is free of 54 security bugs

Mighty patches

Choosing a cloud hosting partner with confidence

Apple has rolled out software updates that patch just about everything but the kitchen sink. In all, there are fixes for at least 54 security bugs, many of which could allow attackers to remotely execute code on vulnerable Macs and Windows machines.

A whopping 41 vulnerabilities reside in OS X 10.4, which is better known as Tiger, 1of which 15 could lead to "arbitrary code execution". Buggy components include Safari, Kerberos, CFNetwork, AppleTalk, as well as the OS X kernel itself. The updates also fix a security hole in Apple's version of Adobe's Flash Player. Adobe has offered a update since July, but Apple is only now rolling it into its list of automatic updates.

The patch fest comes less than 48 hours after Microsoft released one of its sparsest monthly security updates in recent memory, with only one rated as critical. It also comes shortly after the discovery of a sophisticated port Trojan that targets Mac users.

"As Apple grows its market share and becomes a more mainstream operating system, there's going to be a lot more interest in it from the whitehats and the blackhats," said Randy Abrams, director of technical education at anti-virus provider Eset. "Apple users are going to have to get used to the same things that Microsoft and Unix users have dealt with for a long time and that's that patches are a fact of life."

A separate patch fixes three vulnerabilities for Leopard, the successor to Tiger that Apple released last month. The fixes appear to be tweaks to improve the security of the Leopard firewall. The patch, for instance, changes the description of one setting from "Block all incoming connections" to "Allow only essential services", so it's clear that mDNSResponder and other services continue to receive connections. Apple has also pared the processes permitted to receive such connections when the setting is turned on.

The Leopard fixes come two weeks after researchers from Heise Security criticized Apple for providing misleading firewall settings in the new OS.

"This is a good step forward in the right direction," Juergen Schmidt, Heise's editor-in-chief, said of the change. "I really appreciate it, that Apple did not take the smallest possible step to only change the name from "Block all" to "Allow only essential" but also drastically reduced the attack surface by allowing only a limited number of documented services to be reached."

By default, OS X is set to automatically check for the updates and prompt users to install them.

Apple also issued patches to plug 10 holes in the beta version of Safari for Windows. XP or Vista users who have installed the Apple software update application should receive a prompt to install the update. They can also do so manually by visiting this page. ®

Remote control for virtualized desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.