Apple Gives Leopard a Good Brushing

Apple (Nasdaq: AAPL) has completed a major security overhaul of its Leopard operating system. The fix addresses more than 40 crucial security flaws, including one in iCal that allows hackers to attack the computer remotely.

Other flaws that either result in application terminations or arbitrary code executions have been found in AFP Server, AirPort, AppKit, Apple Pixlet Video, ATS, CoreGraphics, Help Viewer, Core Foundation, Flash Player Plug-in, iChat, Mail, Automator, Time Machine, VoiceOver and Parental Controls.

Security Update 2008-003 also has a non-security function: It enables iPhone users to sync Mac address book contacts with Google (Nasdaq: GOOG) contacts.

Repairing iCal

Plugging the iCal hole was the most immediate need Apple had to address. Last week -- after reportedly trying for months to work with Apple to coordinate disclosure -- Core Security published three Mac OS X iCal-based vulnerabilities: Two of them could crash the iCal program, but the third could allow a hacker to take control of another person's computer.

iCal uses the .ics extension and the CalDAV protocol for calendar-sharing. iCal-using Mac owners may be exposed to possible exploits, as a growing number of Web sites provide calendar files and subscriptions to calendar updates.

Besides the iCal flaw, the patch addresses collaborative functions that could be used as vectors for attack. For instance, Web-based plug-ins such as Adobe (Nasdaq: ADBE) Flash have become attractive to hackers, Ryan Barnett, director of application security at Breach Security, told MacNewsWorld.

"There have been many recent reports of malicious Flash files being hosted on Web sites that aim to exploit known vulnerabilities to install Trojan software on client computers," he said.

In general, the patch does a good job of addressing the critical problems, Lori MacVittie, technical marketing manager at F5 Networks, told MacNewsWorld.

"This is becoming more important as growing levels of malware are being written for the Mac," she noted.

Attackers are getting smarter and are using ubiquitous technology such as Flash, MacVittie added. That trend is exacerbated by the typical Mac user's misguided sense of invincibility against hack attacks.

Aura of Safety

Indeed, as more consumers embrace Macs and as more hackers target OS X, the reputation of Apple's computing product line will continue to take hits. This is not necessarily a bad thing -- at least not for consumers that may naively believe their Macs are safe to use online without any protection, Ken Dunham, director of global response at iSIGHT Partners, told MacNewsWorld.

"Apple computers are traditionally viewed as less vulnerable to malicious code attacks," he observed, but "this is true or false depending upon the context of your statement."

Software on any platform is likely to contain a certain number of errors or vulnerabilities, he explained. "As a result, [the statement that a Mac is more vulnerable] is true [given] that continued development of Macintosh software has led to the development and discovery of new vulnerabilities that open the door for possible malicious actions. However, [it] can also be viewed as largely false when considering malicious code which is not mature within the Macintosh 10.x operating system."

No operating system is completely invulnerable to attack -- including Macintosh -- which means consumers must practice safe computing and harden their computers' configurations against known vulnerabilities, Dunham continued.

"Hackers today are financially motivated -- largely focused upon Windows and other platforms," he noted. "However, for Macintosh, increased capabilities and some exploitation in the wild have taken place in the past 18 months. Still, these cases are very limited in scope and impact when compared to other known attacks in the wild on other operating systems.

"It's possible as Apple gains market share, [OS X] will be increasingly targeted by hackers due to the increased number of potential targets using Macs," Dunham concluded.