Apple Security Update Swats Critical Mac OS X Bugs

The update covers nearly 60 vulnerabilities spanning a number of different components, and includes several that can be exploited to execute arbitrary code via drive-by attacks if a victim browses to a malicious or compromised Web site.

Some of the more critical bugs listed in the advisory touch on image and font rendering subsystems and in QuickTime media viewing, said Rich Baldry, senior product manager for Sophos' Web Protection and Mac products.

“All of these components are shared and could impact a number of applications including iTunes and Safari,” he wrote in a blog. “They allow downloaded content to inject code or crash your system.”

Those flaws include bugs in Apple Type Services (ATS) the company warned could be leveraged using documents laced with maliciously-crafted embedded fonts. Several flaws also exist in Apple’s ImageIO that could be exploited using malicious images, such as a buffer overflow in libTIFF’s handling of JPEG encoded TIFF images that could lead to an application crash or code execution.

Apple’s update also includes fixes for PHP, Apache, ClamAV and other components, as well as the latest version of Apple Safari. Also bundled in with the patches is a fix for a bug that Mac security expert Charlie Miller tweeted that he had on tap for the Pwn2Own hacking contest at the CanSecWest Applied Security Conference held earlier this month in Vancouver.

“It slaughters at least 4 I was sitting on including my OS X entry to pwn2own I didn't get to use," he tweeted Monday.

Aside from the security content, the update seems to focus on improving the App Store, Windows file sharing and the Back to My Mac remote connectivity system, blogged Baldry.

“If you have recently bought one of the latest MacBook Pro models there's an additional update that fixes image rendering bugs that can cause display freezing and flickering,” he wrote. “Make sure you apply the update as soon as possible,” he added.