Apple Inc. patched 67 vulnerabilities in Mac OS X, including two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.
Apple's recent update was the largest for Apple since March 2008.
“For Apple, updates this size are now becoming the norm,” said Andrew Storms, director of security operations at nCircle Network Security.
Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.
More than a third of the vulnerabilities — 26 of the 67 — were labeled with Apple's “arbitrary code execution” description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.
Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache Web server and the WebKit browser rendering engine that powers Safari. “I don't see Apple moving at a faster pace,” said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. “Some of these I remember patching [on Linux] back in December.”
“Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities,” Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.
Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.
But the highest-profile vulnerabilities today — if only because they attracted so much media attention — were the two bugs used at “Pwn2Own,” the annual hacking contest sponsored by 3Com's TippingPoint.
Last March, Charlie Miller, an analyst at Independent Security Evaluators in Baltimore, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in less than 10 seconds. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.
Apple patched both vulnerabilities today, nearly two months after the contest. Mozilla, in comparison, patched its Firefox browser — which Nils also hacked at the CanSecWest security conference on the same day he broke Internet Explorer 8 and Safari — on March 27.
Storms was struck by the contrast between Apple's update and the one that Microsoft unveiled earlier today. “Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities.
And Apple comes out with [an update with] 67 bugs,” he noted. “It's a 'I coulda had a V8' moment, where you slap your forehead,” Storms continued. “It's like history changed in front of my eyes.”
Critical of Apple's security practices in the past, Storms didn't let up today. “Who really knew that OS X was this insecure?” he said. “This has to be a wake-up call for somebody.”
He did not, however, hit the quality of Apple's patches. “The quality on both sides is good,” he said. “I don't see a difference in quality between the two [Apple and Microsoft].” Instead, he focused on the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches.
“Macs really still aren't an enterprise tool,” he said, “even though Apple's marketing likes to say that they are, and that they're used in enterprises.”
Apple last patched its operating system in mid-February 2009, when it fixed 48 vulnerabilities. Today's patch tally was 40% larger, and the biggest since that 90-fix update 14 months ago.
Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.
The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.