Apple released a monster patch late Tuesday, fixing almost 50 security holes in Mac OS X (Leopard) and the Safari Web browser, many of which could allow hackers to execute code remotely or launch cross-site scripting attacks.
The patch updated Mac OS 10.5 to the latest version of the OS, Mac OS 10.5.7, and includes fixes for CoreGraphics, Flash Player, iChat, PHP, Ruby, Apache and its Safari Web browser, among others.
One of Apple's OS patches repaired validation errors in Apache's handling of FTP proxy requests -- a flaw that could enable attackers to easily redirect victims to a malicious Web site in a cross-site scripting attack.
In addition, Apple repaired input validation issues for its Safari Web browser and fixed a memory corruption issue in WebKit -- errors that enabled hackers to infect users if they accessed a malicious URL feed or visited a malicious Web site, usually through some social engineering scheme.
For the Mac OS X, security experts say that one of the significant patches plugged numerous vulnerabilities in the way Apple's CoreGraphics handles embedded images. If exploited, the error could allow hackers to launch attacks and infect users by sending malicious PDF attachments via e-mail, which could then download malware or unexpectedly terminate users' applications once they were opened.
Wolfgang Kandek, chief technology officer for security company Qualys, said that Apple's patch repairing the CoreGraphics flaw addresses the same PDF vulnerability patched by Adobe in April. Adobe also released a security update for its Adobe Reader and Acrobat Reader Tuesday.
Apple also fixed multiple glitches in CUPS, as well as the Flash Player plug-in, both of which allow hackers to infect users' Macs with malicious code by enticing them to visit a specially crafted Web site.
The Cupertino, Calif.-based company also repaired bugs in PHP and Ruby scripting languages, and plugged holes in iChat, which supports the SSL layer for AOL Instant messenger and Jabber accounts.
Meanwhile, Apple also repaired a glitch in ATS (Apple Type Services) that allowed hackers to take complete control of a user's computer by exploiting a heap buffer overflow vulnerability in the ATS handling of Compact Font Format fonts. Kandek noted that the error was first discovered by Charlie Miller at hacker conference CanSecWest when he broke into a Mac system during its renowned annual hacker contest.
Security experts say that so far it seems there haven't been any "in the wild" attacks exploiting the security vulnerabilities. However, Mac malware has been used to infect users in the recent past. The Mac platform was hit with two iServices Trojans earlier this year that were distributed via pirated versions of Apple's productivity suite iWorks and Adobe Photoshop CS4 for Mac, spread through file sharing sites such as BitTorrent and others that contained links to pirated software.
Kandek said that Apple likely will be forced, as has Microsoft, to release patches on a more regular basis as the company becomes a more attractive target for malware authors due to market share increases.
"I think they will have to [develop a regular patch cycle]," Kandek said. "Windows is just a more attractive target because of the volume. You can do similar [attacks] with Apple. It's just not worth it to spend your attention on it right now."