On Monday, Apple released a mammoth patch to fix 41 vulnerabilities in Mac OS X and to update the beta version of its Safari browser for Windows. The update follows a similar large patch last month.
Security Update 2007-009 fixes vulnerabilities in Apple's code, as well as in some open-source components that Apple integrates with Leopard and Tiger. Apple put almost half of the vulnerabilities in the category of "arbitrary code execution." That means the bugs could open the door to a hacker exploit.
"It's a large dump," said Ken Dunham, director of Global Response for iSight Partners. "The good news is that even though these vulnerabilities exist on a Macintosh operating system, we have not yet seen attackers give the Macintosh platform a lot of attention."
Looking at the Flaws
The fixes plug holes in Address Book, ColorSync, CUPS, iChat, Mail, Samba, Software Update, Spotlight, and several other applications and modules.
In one vulnerability, an attacker on a local network can initiate a videoconference with an iChat user without the user's approval. A Safari flaw, meanwhile, could let attackers gain access to personal information if the user visits a malicious Web site. And if users don't install the general update for the operating system, they could be exposed to a man-in-the-middle attack that causes Software Update to execute arbitrary commands.
Still, Dunham said he is not overly concerned. He cited only a few notable incidents in the last two years -- some related to proof of concept and others that spread in the wild just briefly. In each instance, he said, the media tends to act like the sky is falling.
"The reality is there's only a few dozen families of code that are even out there for the Macintosh system itself. Of those, many of them are not even functional today," Dunham said. "Before Windows 95, Apple moved to a system that removed almost every single virus on the face of the planet for Macintosh."
The Antivirus Question
Even the Mac-related incidents that the technology world has seen over the past five years have resulted in little consequence for Apple users, Dunham said. The impact and scope have been limited to a couple of hundred users who might have been exposed, he explained, and only a small number were potentially vulnerable to the exploit.
In light of Windows attacks that bounce from continent to continent with dozens of payloads and hundreds of thousands of bots, he added, Apple users are relatively safe.
"Whether or not to have antivirus software on a Macintosh is a tough call. On the Windows side, you need it because it will protect against a lot of old viruses," Dunham said. "But there's not much out there on the Mac side."