Apple issues mega-patch batch

It corrects 45 flaws, including dangerous bugs in Samba file-sharing software

Apple Tuesday released a security update for Mac OS X that patched 45 vulnerabilities, including several in the open-source Samba file-sharing code that researchers recently warned still threatened users more than 10 weeks after the discovery of critical bugs.

The 2007-007 update for Mac OS X 10.3, "Panther," and 10.4, "Tiger," fixes a total of 45 bugs, at least 17 of which Apple acknowledged could lead to hackers executing attack code. Although Apple does not rate vulnerabilities as Microsoft and other companies do, the flaws it pegs as possibly leading to "arbitrary code execution" would rank as "critical" in other vendors' threat scoring system.

Among the components of Mac OS X patched were CFNetwork, the Mac OS X library of network protocols; CoreAudio, the API (application programming interface) that handles sound on Macs; the zgrep file compression utility; iChat; and WebCore, the part of the WebKit application framework that handles HTML rendering.

Nearly three-fourths of the vulnerabilities patched in 2007-007 were in open-source software that Apple blends with its proprietary code to create Mac OS X and its supporting applications. Multiple bug fixes, for instance, were included in the update for open-source programs such as Kerberos, PHP, Samba, SquirrelMail and Tomcat. In most instances, Apple declined to specify the impact of each bug in the open-source software, instead simply pointing users to the relevant project page. Those open-source projects, however, rarely spell out security fixes in formats or language accessible to all but the most technically-astute users.

Prominent in the update, if only because they have recently been in the news, were three patches for Samba, the open-source file- and print-sharing software included with Mac OS X. Late last week, Symantec researchers reminded users that the flaws, revealed and patched on May 14, remained a dangerous threat. Exploit code effective against Macs had been in circulation during much of July.

Apple also patched several cross-site scripting, information disclosure, and code execution flaws in the underlying code used by the Safari browser. Included in that category was a fix for a Safari vulnerability that had been unveiled by a trio of security researchers last week, and used to exploit the iPhone's version of Safari. Although the danger was smaller on a Mac than on the iPhone -- hacking Safari on the mobile device gives attackers complete access to the hardware and all its data -- Apple warned that the bug in Mac OS X's edition of Safari could still result in successful attack code.

Mac users can download the updates -- the set for Intel Macs weighs in at nearly 26MB -- from the Apple site, or retrieve them using the operating system's integrated update feature.

The beta of Safari 3, the next-generation browser that Apple is testing on both the Mac and Windows, also was targeted by several patches Tuesday. Safari 3.0.3 fixes four flaws, two of which are vulnerabilities carried over from old code; the same bugs were disclosed and patched for the existing version 2 of Safari that's bundled with Tiger, Mac OS X 10.4.

Old-code bugs are not an Apple-only problem. Researchers have found multiple vulnerabilities in Microsoft's Windows Vista that also live in earlier editions of the OS, a finding that's proved to be an embarrassment to Microsoft, which aggressively touted new security development procedures it claimed would weed out such bugs.

Windows users of Safari 3 can update to 3.0.3 by downloading the new version, or by running the optional Apple Software Update utility.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?