Apple Patch Day Comes With 10 New Updates
One of the updates fixes eight critical vulnerabilities found in OS X Leopard and Leopard server, while the other fixes errors found in OS X Tiger. Altogether, the patches affect Safari, Launch Services, Mail, NFS, Open Directory, Parental Controls, Samba, Terminal and X11. Seven of the 10 vulnerabilities were susceptible to exploitation by a remote attacker.
Particularly noteworthy is the Launch Services bug, experts say, which affects systems OS X v10.5 and higher. The vulnerability affects the way that Launch Services interacts with Time Machine, Leopard's new built-in system backup. Apple said in its security posting that errors in Launch Services allowed an application that was removed from the system to be opened if it was still present in the Time Machine backup. The update addressed the problem by essentially stopping applications to be launched directly from the backup.
Among some of the most significant and hardest hitting vulnerabilities were those found in Safari, Terminal and Mail, which all had the potential to be exploited remotely as the result of a malformed URL. The updates addressed the ability for users to access a maliciously crafted URL that would allow an attacker to take complete control of an affected system or initiate a denial of service on their machines.
In particular, the Safari patch addressed a memory corruption that affected the browser's handling of URLs. The vulnerability, which could be exploited if a user were to visit a malicious Web site, was remedied with a fix that performed additional validation of URLs.
Similarly, the fix for Apple's Mail, affecting its Tiger operating system, also addressed a problem in the application's handling of URLs. The problem allowed the potential launch of arbitrary applications without warning after a user clicked a URL embedded in a message. The update fixed the problem by displaying the location of the file in the Finder application instead of launching it.
Experts say that similar errors were addressed on Microsoft's Internet Explorer several years ago. "That's just more proof that as Safari matures, they take up more of the desktop market," said Jamz Yaneza, threat research project manager for Trend Micro. "You're going to have exploits pop up more often."
"Things people have seen before in the Windows world, they're going to appear in the Mac world," Yaneza added.
Security experts recommend that users update their iPhones and other gadgets, in addition to applying patches to their computers.
Both the Microsoft and Apple releases, issued just a day apart, contained almost the same number of security bulletins. However, the number of fixes Apple issued this month pales in comparison to its patch release in December, which included more than 40 updates.
While Apple has yet to release updates on a regular schedule, this recent release preceded Microsoft's monthly Patch Tuesday by a day. But whether Apple's patch date was intentional is a matter of speculation.
"My only guess is that Apple is testing the waters and seeing how people in the Mac world are to having their own 'Patch Tuesday' as well," said Yaneza.