Apple issues mega-patch batch

It corrects 45 flaws, including dangerous bugs in Samba file-sharing software

Apple Tuesday released a security update for Mac OS X that patched 45 vulnerabilities, including several in the open-source Samba file-sharing code that researchers recently warned still threatened users more than 10 weeks after the discovery of critical bugs.

The 2007-007 update for Mac OS X 10.3, "Panther," and 10.4, "Tiger," fixes a total of 45 bugs, at least 17 of which Apple acknowledged could lead to hackers executing attack code. Although Apple does not rate vulnerabilities as Microsoft and other companies do, the flaws it pegs as possibly leading to "arbitrary code execution" would rank as "critical" in other vendors' threat scoring system.

Among the components of Mac OS X patched were CFNetwork, the Mac OS X library of network protocols; CoreAudio, the API (application programming interface) that handles sound on Macs; the zgrep file compression utility; iChat; and WebCore, the part of the WebKit application framework that handles HTML rendering.

Nearly three-fourths of the vulnerabilities patched in 2007-007 were in open-source software that Apple blends with its proprietary code to create Mac OS X and its supporting applications. Multiple bug fixes, for instance, were included in the update for open-source programs such as Kerberos, PHP, Samba, SquirrelMail and Tomcat. In most instances, Apple declined to specify the impact of each bug in the open-source software, instead simply pointing users to the relevant project page. Those open-source projects, however, rarely spell out security fixes in formats or language accessible to all but the most technically-astute users.

Prominent in the update, if only because they have recently been in the news, were three patches for Samba, the open-source file- and print-sharing software included with Mac OS X. Late last week, Symantec researchers reminded users that the flaws, revealed and patched on May 14, remained a dangerous threat. Exploit code effective against Macs had been in circulation during much of July.

Apple also patched several cross-site scripting, information disclosure, and code execution flaws in the underlying code used by the Safari browser. Included in that category was a fix for a Safari vulnerability that had been unveiled by a trio of security researchers last week, and used to exploit the iPhone's version of Safari. Although the danger was smaller on a Mac than on the iPhone -- hacking Safari on the mobile device gives attackers complete access to the hardware and all its data -- Apple warned that the bug in Mac OS X's edition of Safari could still result in successful attack code.

Mac users can download the updates -- the set for Intel Macs weighs in at nearly 26MB -- from the Apple site, or retrieve them using the operating system's integrated update feature.

The beta of Safari 3, the next-generation browser that Apple is testing on both the Mac and Windows, also was targeted by several patches Tuesday. Safari 3.0.3 fixes four flaws, two of which are vulnerabilities carried over from old code; the same bugs were disclosed and patched for the existing version 2 of Safari that's bundled with Tiger, Mac OS X 10.4.

Old-code bugs are not an Apple-only problem. Researchers have found multiple vulnerabilities in Microsoft's Windows Vista that also live in earlier editions of the OS, a finding that's proved to be an embarrassment to Microsoft, which aggressively touted new security development procedures it claimed would weed out such bugs.

Windows users of Safari 3 can update to 3.0.3 by downloading the new version, or by running the optional Apple Software Update utility.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?