By Walaika Haskins MacNewsWorld Part of the ECT News Network
12/18/07 1:31 PM PT
Apple released its ninth set of security patches in 2007 Monday, bringing the total number of vulnerabilities it's fixed this year to about 200 -- nearly twice the number it patched last year. ABI Research analyst Zippy Aima praised the computer maker for its response time but questioned the apparent lack of urgency Apple expresses to users who need to update their systems.
Increase Customer Sales with VerticalResponse Email Marketing! Quickly and easily send email newsletters, coupons & sales announcements to your customers – no technical expertise needed. Sign up for your Free Trial today and send 100 emails on us!
Apple's (Nasdaq: AAPL) patchy year continued Monday as the Mac maker released fixes for some 40 Mac OS X glitches in its ninth security update. In a separate release, Apple also put out an update to plug a flaw in the beta version of its Safari 3 Web browser running on Windows Vista and XP. The company also dealt with 18 other Java-related vulnerabilities in addition to its ongoing QuickTime flaw, with patches released last Thursday.
Apple does not rank the severity of its bugs, but among the fixes included in Monday's update, 20 of them should be considered critical, said SophosLabs manager Richard Wang. Those critical fixes patch up holes in the Mac OS X operating system's CFNetwork, Core Foundation, CUPS, Quick Look, Safari and Mail.
"Any vulnerability that can allow arbitrary or remote code execution should be considered to be critical. These are the kinds of vulnerability that a hacker can use to install their own software on an affected Mac," he told MacNewsWorld.
So far, with the latest Security Update 2007-009 patches included, Apple has released fixes for some 200 programming hitches -- nearly twice the 103 vulnerabilities it patched in 2006.
Year-End Plugs
Apple's last security update for 2007 corrects issues affecting users of Mac OS X 10.4 and 10.5 (Tiger and Leopard) operating systems. Included in the update are 31 fixes for the operating systems. The rest address issues with OS components such as Address Book, iChat, and a Flash Player Plug-in as well as background operations including ColorSync and IO Storage Family.
The Java run-time update is a critically important update that addresses 18 vulnerabilities which could put Mac OS X users at risk by allowing hackers to run remote code execution attacks on vulnerable systems. Several of the patches fix issues that could allow an interloper to insert or remove items from Keychain, Apple's password manager, without prompting.
The Safari Browser beta update corrects a cross-site scripting issue and is necessary only for Windows XP and Vista users.
"All of these security patches are very important," Zippy Aima, an analyst at ABI Research, told MacNewsWorld. "When we talk about software or a certain platform every bit makes a difference. So if they are releasing patches for even the least critical things, it makes a difference and that's why the patches are released."
Mac Talk
Even while Apple seems to have significantly ramped up its security profile with multiple bulky updates rolled out this year, the company still needs to effectively communicate the importance of downloading and installing the updates to Mac users, said Aima, who owns a Mac.
"[Apple] has been very quick to release updates and in its response time, but the way it is being communicated to the Mac user [does not emphasize the importance of installing any given security update]," she explained.
There is a widely held perception among computer users, particularly Mac owners, that Apple computers are more secure than PCs. Unlike Microsoft (Nasdaq: MSFT), which ranks its updates and informs curious PC users about the importance of security fixes included in an update, Mac users can easily ignore the update message, according to Aima.
"It will show up and just say 'security' or 'new updates.' If I'm not a technical person, I might just ignore it, and I would probably say that I could just do that later. But maybe it contains something critical and needs immediate action, but I ignore it because its importance is not communicated," she pointed out.
"There is no security that is foolproof or cannot be hacked," Aima continued.
Growing Base
"As the number of Macs and Mac users increases they will become a more and more tempting target," Wang said. "We saw last month with OSX/RSPlug-A that hackers are already targeting Mac users. In the case of OSX/RSPlug-A, the same hacking group created Web sites that attacked both Windows and OS X users."
Apple's increasing popularity means that hackers and security researchers will likely direct more of their attention and resources toward Macs in an effort to ferret out flaws in the OS. That makes it even more important that the hardware maker communicates the level of importance a particular security downloads to Mac owners, Chris Rodriguez, a Frost & Sullivan analyst, said.
"As they gain popularity and market share, there will definitely be an uptick there. That will become even more applicable when they settle more into the enterprise market and you start seeing them more on servers and other hardware," he explained.
"It's been a gradual process, but they are moving at a steady pace. As their servers become more popular they will definitely need to increase security," Rodriguez told MacNewsWorld.
MS Security Update Creates Painful IE Problem December 18, 2007
"This certainly creates a painful problem, since the update is going out to millions of people," said Rob Enderle, president and principal analyst with the Enderle Group. "Unfortunately, there's no easy way around it," Enderle added. "As we've found in the past, attackers will use the patch details to create an attack. Meanwhile, those who don't install the patch are instantly vulnerable."
Related Stories
Apple in the Enterprise, Part 2: Uniting the Scientific Community December 18, 2007
Apple's success in making open source use of Unix in the core of the Mac OS X operating system is mirrored in its efforts to make its computing technology more compatible with another standard found in the mainstream corporate world -- Microsoft's Windows operating system.
HP's Michael Sutton: Web 2.0 and the New Wild West December 18, 2007
"The Web is really the Wild Wild West of attackers today," said Michael Sutton, security evangelist for HP quality management. "This condition is now out of the shadows because security experts can actually show proof of the kinds of attacks coming through these Web 2.0 holes. Now we have much better statistics to demonstrate the kind of attacks being made."
Related News Alerts
More by Walaika Haskins
ZeeVee's Zinc Browser Gets Web TV Right April 29, 2009
The Zinc Browser from ZeeVee updates the old Zviewer with tighter navigation and better catalog options. The finished application offers a great way to find TV shows and movies anywhere on the Web, regardless of whether they're hosted by Hulu, CBS, Netflix, Amazon's on-demand service or others.
Game Sales Sputter, 'GTA' Fails to Steal the Show April 23, 2009
It may appear as though the video game industry is beginning to join the economy at large in its slump, as March numbers from NPD were less than encouraging. However, a year-over-year perspective is difficult due to the timing of game releases and holidays. Meanwhile, Take-Two hasn't seen much success in introducing its violent "GTA" series to the Nintendo DS.
Can Microsoft Win the Online Game? April 16, 2009
Now that the major video game consoles have been on the market for two and a half years -- or more -- hardware sales have slowed considerably. Online services, however, still have room to grow. InStat says subscriber bases will take off in the coming years, and Microsoft's Xbox platform may come out the big winner.
Headline Feeds
Talkback: 
