SECURITY UPDATES

Super-Sized Apple Update Fixes 45 Flaws

Print Version
E-Mail Article
Reprints

By Walaika Haskins
MacNewsWorld
Part of the ECT News Network
03/14/07 1:59 PM PT

Apple released patches for 45 vulnerabilities Tuesday, its first large-scale security update since August 2006. The update was issued on the day Microsoft opted to sit out on what would normally be its regular "Patch Tuesday." Apple has received credit for fixing known flaws, but it may have to get more serious about security if it wants to take on Vista.


Get VeriSign Extended Validation (EV) SSL for your site which helps your customers know they are safe.

Apple (Nasdaq: AAPL) Latest News about Apple released a big security Take the FREE Motorola AirDefense WLAN Security Assessment. Click here. patch for its Mac OS X operating system Tuesday. The mega-update patches some 45 weak spots, including several zero-day vulnerabilities. About one-third of the fixes address security issues revealed on the "Month of Kernel Bugs" (MOKB) and "Month of Apple Bugs" (MOAB) blogs.

This latest update marks the seventh time Apple has released a security patch since the start of 2007. It affects Apple computers running Mac OS X version 10.3.9 and Mac OS X Server version 10.3.9. Mac OS X version 10.4.9 contains the security fixes released in Tuesday's patch and, according to the Cupertino, Calif., computer maker, will install on Mac OS X v10.4 or later as well as Mac OS X Server v10.4 or later systems.

"This is an extremely critical update," Rich Mogull, a Gartner (NYSE: IT) Latest News about Gartner analyst, told MacNewsWorld.

Bug Infestation

The update includes fixes for problems within Apple's software as well as third-party applications such as Adobe Systems' (Nasdaq: ADBE) Latest News about Adobe Flash Player, OpenSSH and MySQL. Also, while many of the flaws pose no serious security risk, several could allow attackers to remotely execute code through which they could gain control over a Mac.

Anything that allows someone to remotely install something on another person's machine is a big vulnerability, Dave Cole, director of Symantec (Nasdaq: SYMC) Latest News about Symantec Security Response, told MacNewsWorld.

Cole agreed with Apple that Mac users should definitely download this security patch and apply it. "There are some serious vulnerabilities [corrected] in it and we want people to be protected. Without a doubt this is an important one and if you're thinking of skipping an update, this isn't the one to skip," he stated.

There is good news and bad news with an update containing so many patches, according to Cole. "The bad news is that it is around an 8 MB patch," he said. "The good news is that when you apply it you get them all in one."

Flaw Catcher

This is the first large-scale security update for Apple since August 2006, when it released a patch containing fixes for 26 vulnerabilities. Tuesday's update corrected several flaws brought to light during November 2006 and January of this year by "Month of" bloggers H.D. Moore, director of security research for BreakingPoint Systems, and a researcher known only as LMH. Nine of the fixes pertain to bugs released during MOAB; an additional seven deal with flaws brought to light during MOKB.

The bloggers' stated goal was to reveal major security flaws that put both Mac and Windows users at risk. Gartner's Mogull sees the update as a small vindication for the bloggers, as it proves Apple has security issues about which Mac users should be aware. It does not, however, validate the tactics the bloggers used, he asserted.

"It does not validate the approach of releasing the actual exploit as part of reporting the vulnerability," he stated. "You could say that they did force Apple to respond, but Apple is also patching a number of things not addressed in the 'Month of Apple Bugs' project as well."

Great Security Hype?

Including Tuesday's releases, Apple has released seven security updates this year. Compare that to the 16 security bulletins released by Microsoft (Nasdaq: MSFT) Latest News about Microsoft to correct some 30 vulnerabilities in the same time period, and it appears that Apple's marketing campaign touting the superior security of a Mac may not be an exercise in hyperbole.

However, on the same day Apple released its 45 fixes, Microsoft sat out its regular monthly update of what has come to known as "Patch Tuesday."

The patch is a big one for sure, but it isn't the first time Apple has released a patch this size, Symantec's Cole explained.

"This comes at a time when they've thrown off the gloves and taken on Vista in their consumer marketing," he said. "The question is, are the people watching those commercials aware of the [security updates] and what Microsoft will do with this information? I'm sure Microsoft was not wholly unhappy that on a day they didn't release patches, Apple did."

Mogull credits Apple for issuing such a comprehensive update; however, he said the computer maker needs to put a greater emphasis on security.

"Apple does not have a chief security officer. They are hiring for a new security position, but security is not as ingrained in the Apple culture and the development process as it is in other places," he noted.

Apple gets a mixed grade, Mogull continued. He gives them a good grade for plugging so many holes, several of which were critical. However, the events of the past year indicate that Apple needs to take security more seriously.

"That is something we hope to see them do in the future," he added. "But, if they want to use security in their marketing campaign, they will really need to make a very big effort."

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Walaika Haskins   RSS

Related Resources

Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]