Microsoft's Patch Tuesday was rather uneventful this month, but Apple's latest release of security fixes on Wednesday was anything but light. In all, Apple patched 41 vulnerabilities in Mac OS X and related software.
The company released an update for Tiger, fixed 10 bugs in the Windows version of Safari, and upgraded several other third-party applications. In the eyes of Graham Cluley, a senior technology consultant at security research firm Sophos, Wednesday's release was a Godzilla-sized security update that exceeded about 130 MB in size.
The update includes 15 critical fixes to patch vulnerabilities that Apple said could open the door for "arbitrary code execution" that leaves a Mac compromised. More than two dozen other patches fixed vulnerabilities that could crash the OS or applications, allow malicious Web sites to do drive-by downloads, poison the machine's DNS cache, or allow hackers to steal information or search for files on the victim's hard drive.
Fixes for Mac OS X
"The most critical patches here address vulnerabilities which could allow hackers to run malicious code on users' Macs without their permission," Cluley said. "The good news is that modern Macs are configured to automatically download security patches in the background when the user connects to the net. Home users should allow their Macs to do this rather than leaving it until a threat emerges."
Cluley noted that these vulnerabilities were announced in the wake of the discovery of the first true financially motivated piece of malware to hit the Mac. The RSPlug Trojan, developed by the Zlob gang that has been successfully targeting Windows PCs for months, was recently discovered on Web sites posing as a codec to allow Mac owners to watch videos.
Although many say Mac computers are much less frequently targeted than Windows PCs when it comes to malware and hack attempts, Cluley said that is no reason Mac owners should rest on their laurels and think they don't have to worry about security.
It should be noted that several fixes addressed vulnerabilities in third-party applications for the Apple's OS. Many of these apps are open-source projects. For example, third-party applications such as bzip, Kerberos, and BIND were fixed along with the Flash player plug-in.
Safari on Windows
With Apple's release of an update to its Safari Web browser beta for Windows, which fixes 10 different vulnerabilities, it's clear that Windows users are not immune to Apple security problems. Because Windows users are so frequently attacked via
malicious code on the Web, Cluley said, it would make sense for people testing Safari on Windows to make sure that they are running the latest patched version.
"There's a clear message here: No operating system is immune to vulnerabilities. Every computer user needs to keep on top of the patch mountain in order to defend their data," he said. "Technologies such as Network Access Control can help companies assess whether computers attaching to their infrastructure are running the latest antivirus and security patches in their attempt to reduce the risks to corporate systems."