Apple fixes 17 Mac OS X flaws

Apple has released the year's fifth major security update for Mac OS X to patch 17 vulnerabilities, the first time this year that an OS security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Eight out of the 17 exploits could do no more damage than to generate a denial of service of, or crash, the affected component. Only five of the patched vulnerabilities could result in an attacker executing his own code. Apple's year-to-date patch total may be over 100, but this month included fixes for fewer flaws than last month (25) and the month before (45).

Among the serious bugs is one in how Mac OS X 10.4 handles PDF files. "By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution," Apple's advisory said. Attacks sporting this strategy, although rare on Macs, would mean Apple's users would have to be careful when opening attachments. Another dangerous flaw fixed exists in the code that maps ports on home networks in iChat, Apple's instant messaging service and software. An attacker with access to the local network to exploit the bug could send a malformed packet to trigger a buffer overflow, which could then be used to add malicious code to the Mac. Other parts of Mac OS X that were patched include Berkeley Internet Name Domain, the de facto standard Domain Name System server software, which was patched against four vulnerabilities; the Ruby CGI library (two vulnerabilities); and Fetchmail (one vulnerability).

Download: Security Update
News source: InfoWorld

Report a problem with article
Previous Story

Analysts: Halo 3 to push Xbox business into the black

Next Story

Nero Linux 3 Brings Blu-ray & HD DVD Data Burning to Linux

35 Comments

Commenting is disabled on this article.

85 flaws to date? and they patched them?
hooray for Mac users. really. not being sarcastic here.

just shows that Apple cares about the security of their products. end of story for me.
how about you, buddy?

How about what? If MS fixes flaws, it's insecure, if it doesn't, it doesn't care about security. That about sums it up, I think.

It's too bad that these posts always deteriorate into Mac vs. Windows wars.

Which, in the case of patches, is completely pointless. Software will never be 'perfect' because it is prone to human error and changes in technology. Therefore, there are 2 choices for Apple and Microsoft: Continue patching their operating system for eternity or patch it for a reasonable length of time before moving onto their next operating system.

Apple and Microsoft can never stop patching their software so the oh-so-old Mac vs. Windows debates, when based on patch quality, quantity, or speed, is one that can never be settled.

There we go again, the mighty OS X which is all secure and never breaks not long ago they patched a whole lot of vulnerabilities and other issues and now this, which proves the fact that NO OS is %100 secure. I'm just glad it is NOT ONLY Windows anymore.

When Microsoft patches a few Windows flaws all the MAC fanboys start the flame war, but when their mighty OS breaks and reveals itself as it is ( just like any other OS) They can't withstand the critic, wake up; it is life, yes your OS just happens to be less popular thus being less attacked that's all.

Ely said,
There we go again, the mighty OS X which is all secure and never breaks not long ago they patched a whole lot of vulnerabilities and other issues and now this, which proves the fact that NO OS is %100 secure. I'm just glad it is NOT ONLY Windows anymore.

When Microsoft patches a few Windows flaws all the MAC fanboys start the flame war, but when their mighty OS breaks and reveals itself as it is ( just like any other OS) They can't withstand the critic, wake up; it is life, yes your OS just happens to be less popular thus being less attacked that's all.

Noone has claimed OS X is 100% secure.

And no, Mac users don't start flamewars in those threads.

Stop pulling stuff out of thin air to make your opinion look valid.

Chad said,

Noone has claimed OS X is 100% secure.

And no, Mac users don't start flamewars in those threads.

Stop pulling stuff out of thin air to make your opinion look valid.

the problem is, apple and steve job did, it's their arrogance that is backslashing when people hear this news

XerXis said,

the problem is, apple and steve job did, it's their arrogance that is backslashing when people hear this news

Yeah, I hate the way they try to market their OS. It's about the sorriest way to do it. Then again, they need all the help they can get selling an overpriced piece of crap.

XerXis said,

the problem is, apple and steve job did, it's their arrogance that is backslashing when people hear this news

The problem is, you are making things up. Apple has never said OS X is 100% secure.

No, but it does provide a good reference point. Vista is constantly being hacked and scrutinized - OS X not as much. It would make sense, if Microsoft didn't do a good job with security, that more flaws would be found/patched in Vista since it is under so much scrutiny. Instead, we are seeing the opposite.

Ad hominem attacks certainly don't help your case.

If an OS's security is not determined by its flaws, then what is it judged by? The intelligence of its users? How many "in the wild" malware can infect it?

Don't get me wrong; OS X is more secure than Vista, only not inherently more secure. If the tables were turned, there would definitely be a ton of malware for OS X.

Has Apple taken drastic measures to improve OS X's security? Last I heard, Microsoft removed all instances of strcpy() from Vista because of security concerns. Do you realize how much code would need to be changed?

Edit: I accidentally replied to the wrong thread. This is meant to be a reply to markjensen's post above.

NateB1 said,
Last I heard, Microsoft removed all instances of strcpy() from Vista because of security concerns. Do you realize how much code would need to be changed?

That was a very good move & code alterations like these made them the delay...but its good for customers.

NateB1 said,
...
Ad hominem attacks certainly don't help your case.
...
I guess I could have said that you either were being deliberately disingenuous in attempt to troll, or were woefully ill-informed about what comprises "security". Neither is complimentary, I agree. But either would apply to your so-called conclusion based on a single metric.

NateB1 said,
...
If an OS's security is not determined by its flaws, then what is it judged by? The intelligence of its users? How many "in the wild" malware can infect it?
...
My complaint was with your narrow-sighted focus on a single metric (number of patches) to arrive at your implied conclusion on security. And now, you seem to think I intend you throw away that metric in favor of a different "single metric", which is not the case at all. You need a better analysis than just counting up the number of patches. You need to consider time to patch. Days of exposure. Severity of exploit. Exploit Vector. Any actions that can mitigate the problem prior to patch release.

In short, you have to analyze, not just count.

markjensen said,
I guess I could have said that you either were being deliberately disingenuous in attempt to troll, or were woefully ill-informed about what comprises "security". Neither is complimentary, I agree. But either would apply to your so-called conclusion based on a single metric.

My complaint was with your narrow-sighted focus on a single metric (number of patches) to arrive at your implied conclusion on security. And now, you seem to think I intend you throw away that metric in favor of a different "single metric", which is not the case at all. You need a better analysis than just counting up the number of patches. You need to consider time to patch. Days of exposure. Severity of exploit. Exploit Vector. Any actions that can mitigate the problem prior to patch release.

In short, you have to analyze, not just count.

Do you have such a analysis? If not, you're worse than him, obviously. And I like how you mention 'time to patch' but not 'thoroughness of testing' to make sure it doesn't break tons of **** and put users off from installing the patch.
I mean, it doesn't make you look biased or anything.

J_R_G said,

Do you have such a analysis? If not, you're worse than him, obviously. And I like how you mention 'time to patch' but not 'thoroughness of testing' to make sure it doesn't break tons of **** and put users off from installing the patch.
I mean, it doesn't make you look biased or anything.

From what I read, he's not the one trying to measure the security here. Nate's the one trying to do the measuring. He's just stating what factors should be taken into place when attempting to measure the security of an OS. Forgive him if he didn't name all of them as I'm sure he didn't expect good ol' Nate here to follow through and analyze the situation.

Wow. Microsoft hasn't patched this many flaws within a similar time period. It's nice to know that Apple is trying to catch up to Microsoft in the security arena. I think Microsoft released 10 or so patches for Vista in the past 3 months. Apple has patched how many now? 45+25+17 = 87! Hmm... Which OS is inherently more secure?

OS X = Security via obscurity...

Only an idiot would use the single metric of "number of patches" as a determination of which OS was more secure.

You are not an idiot, are you? Then don't post like one.

while I agree with you mark, that was/is the case with most XP fixes. Just because XP had more fixes than OSX, bam...XP is less secure (which is true but number of fixes is certainly not a good scale).
The real test is when people actually start exploiting it and then how the OS can withstand it. I have a gut feeling that OS X might be capable of it but thousands of idiotic mac users might be the real problem. (just like on the Windows side)

markjensen said,
Only an idiot would use the single metric of "number of patches" as a determination of which OS was more secure.

You are not an idiot, are you? Then don't post like one.


So you say OS X is secure always...as some one cited, in a lake of fishes, windows fishes are about 95% and chance of catching a windows fish is always High..and now compare...

No OS or software is 100% secured or stable including Windows, Unix, Linux & Mac os X..

guruparan said,


So you say OS X is secure always...as some one cited, in a lake of fishes, windows fishes are about 95% and chance of catching a windows fish is always High..and now compare...

No OS or software is 100% secured or stable including Windows, Unix, Linux & Mac os X..

What are you talking about?

guruparan said,
So you say OS X is secure always...as some one cited, in a lake of fishes, windows fishes are about 95% and chance of catching a windows fish is always High..and now compare...

No OS or software is 100% secured or stable including Windows, Unix, Linux & Mac os X..

Huh? I never made any claims (comparative or absolute) about OSX security.

In fact, search out my posts here on Neowin, and you will see me clearly state that

  1. Security is a process, not a product or feature, and
  2. Coming to a overall security conclusion based on any single metric is horribly flawed
No need to imagine me saying things in order to try to start online flamewars, buddy.

markjensen said,
Only an idiot would use the single metric of "number of patches" as a determination of which OS was more secure.

You are not an idiot, are you? Then don't post like one.

Wow I think you need to calm down. Also calling people an idiot is not very smart on your part. You do not need to attack him see the reason people say this is cause Apple always advertises that it is secure and it just works no matter what. Witch we all know is not true I mean like you said only an idiot would in this case believe that Apple is the golden fleece.

Typhon said,

Wow I think you need to calm down. Also calling people an idiot is not very smart on your part. You do not need to attack him see the reason people say this is cause Apple always advertises that it is secure and it just works no matter what. Witch we all know is not true I mean like you said only an idiot would in this case believe that Apple is the golden fleece.

No, I agree with Mark. You can't measure security in the number of patches released, or how many fixes each patch actually fixed. In fact, you can't measure them at all!

Like that guy up above was saying when he was talking about "windows fish" (or trying to anyway), Windows has a greater userbase. That said, there are a lot more people pushing to find flaws within the software. If OSX had the same userbase that Windows did, then yes, I think you'd find a lot more flaws with OSX. However, since we can't test that, you really can't measure the security of each system, other than by the numbers. And once again, you got a stupid way of measuring.

La-la-la-la-la-la-la I can't hear you idiots trying to start an OS X security flame war!

Thanks for the news.

Helba said,
La-la-la-la-la-la-la I can't hear you idiots trying to start an OS X security flame war!

Thanks for the news.

lol..typical mac user ingoring the issues that apple has...:)

Oh but wait OS/X has no security holes! It certainly dosen't have 100... think to yourself.. if 100 have been found without anyone even really trying, how many holes does the OS really have in it, that would be discovered if it had been subjected the the same scrutiny as Vista/XP...

"Hi I'm a Mac" "And I'm a PC" "Say PC get any viruses yet?" "Nope, hey wanna view my quicktime movie?" "Sure, did you know that Apple-" "Uh oh Mac fell down and died!"