Apple issues mega-patch batch

It corrects 45 flaws, including dangerous bugs in Samba file-sharing software

Apple Tuesday released a security update for Mac OS X that patched 45 vulnerabilities, including several in the open-source Samba file-sharing code that researchers recently warned still threatened users more than 10 weeks after the discovery of critical bugs.

The 2007-007 update for Mac OS X 10.3, "Panther," and 10.4, "Tiger," fixes a total of 45 bugs, at least 17 of which Apple acknowledged could lead to hackers executing attack code. Although Apple does not rate vulnerabilities as Microsoft and other companies do, the flaws it pegs as possibly leading to "arbitrary code execution" would rank as "critical" in other vendors' threat scoring system.

Among the components of Mac OS X patched were CFNetwork, the Mac OS X library of network protocols; CoreAudio, the API (application programming interface) that handles sound on Macs; the zgrep file compression utility; iChat; and WebCore, the part of the WebKit application framework that handles HTML rendering.

Nearly three-fourths of the vulnerabilities patched in 2007-007 were in open-source software that Apple blends with its proprietary code to create Mac OS X and its supporting applications. Multiple bug fixes, for instance, were included in the update for open-source programs such as Kerberos, PHP, Samba, SquirrelMail and Tomcat. In most instances, Apple declined to specify the impact of each bug in the open-source software, instead simply pointing users to the relevant project page. Those open-source projects, however, rarely spell out security fixes in formats or language accessible to all but the most technically-astute users.

Prominent in the update, if only because they have recently been in the news, were three patches for Samba, the open-source file- and print-sharing software included with Mac OS X. Late last week, Symantec researchers reminded users that the flaws, revealed and patched on May 14, remained a dangerous threat. Exploit code effective against Macs had been in circulation during much of July.

Apple also patched several cross-site scripting, information disclosure, and code execution flaws in the underlying code used by the Safari browser. Included in that category was a fix for a Safari vulnerability that had been unveiled by a trio of security researchers last week, and used to exploit the iPhone's version of Safari. Although the danger was smaller on a Mac than on the iPhone -- hacking Safari on the mobile device gives attackers complete access to the hardware and all its data -- Apple warned that the bug in Mac OS X's edition of Safari could still result in successful attack code.

Mac users can download the updates -- the set for Intel Macs weighs in at nearly 26MB -- from the Apple site, or retrieve them using the operating system's integrated update feature.

The beta of Safari 3, the next-generation browser that Apple is testing on both the Mac and Windows, also was targeted by several patches Tuesday. Safari 3.0.3 fixes four flaws, two of which are vulnerabilities carried over from old code; the same bugs were disclosed and patched for the existing version 2 of Safari that's bundled with Tiger, Mac OS X 10.4.

Old-code bugs are not an Apple-only problem. Researchers have found multiple vulnerabilities in Microsoft's Windows Vista that also live in earlier editions of the OS, a finding that's proved to be an embarrassment to Microsoft, which aggressively touted new security development procedures it claimed would weed out such bugs.

Windows users of Safari 3 can update to 3.0.3 by downloading the new version, or by running the optional Apple Software Update utility.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?