Apple patches 40 Mac OS X security bugs

Vulernabilities in Flash Player, iCal and Apache fixed

Apple Wednesday patched 40 security vulnerabilities in more than 25 different components and applications bundled with Mac OS X, including Flash Player, iCal and Apache.

The year's third update fixed fewer than half as many flaws as the previous collection, which Apple issued two months ago to plug nearly 90 holes.

Sixteen of the 40 patches in Wednesday's update were tagged by Apple with its "arbitrary code execution" phrasing, putting them into the category most other vendors would label "critical."

According to the Security Update 2008-003 advisory, the most-patched components by vulnerability count were Apple's version of the Apache open-source Web server (eight bugs fixed) and the version of Adobe System's Flash Player that Apple tucks into Mac OS X (seven flaws patched).

Fixes to Flash Player, said Apple in its Security Update 2008-003 advisory, update the popular multimedia player application to version 9.0.124.0, the one currently available for download from Adobe itself. Adobe released that version nearly two months ago to patch the same seven vulnerabilities Apple fixed yesterday. Among the seven was one used to claim a US$5,000 prize at a hacker challenge in late March.

Coincidentally, earlier versions of Flash Player are currently being exploited by attackers who have hacked legitimate Web sites and are infecting Windows users with a variety of malware.

Also notable in the update was a fix for one of thee three iCal vulnerabilities that had been disclosed last week by Core Security Technologies. Apple patched the most serious of the trio, marked as CVE-2008-1035, Core's chief technology officer, Ivan Arce, confirmed Thursday. "Yes, I can say that they patched the most serious of the vulnerabilities, but I cannot confirm that they have patched, or haven't patched, the other two."

Core reported the three iCal bugs to Apple in January 2008, and then went public with information about the vulnerabilities last week after it tired of Apple's patch delays. Core's researchers and Apple's security team also disagreed over the severity of the two bugs still unpatched, according to notes Core posted online.

Arce confirmed the disagreements last week in an interview, and mentioned them again Thursday. After several rounds of e-mail messages, he said, Core told Apple that it appeared the two lesser vulnerabilities were "crash-only," and could not be used to inject malicious code. "But that doesn't mean that they're not security bugs," Arce argued last week.

"If you look at our timeline, you'll see that there was some disagreement about whether the two bugs were security bugs," Arce said today. According to that timeline, Apple said it wanted to classify the two vulnerabilities as having "no security-related consequences." Core disagreed.

Arce said Core will be running tests through Friday to see whether Apple added behind-the-scenes patches for the second and third bugs -- possible because the Cupertino, Calif. computer maker may have decided on its own that they are more design flaws, and less security vulnerabilities.

Apple has not replied to e-mails asking if it has fixed the remaining two Core-disclosed vulnerabilities in iCal.

Other patches included in the Wednesday update address vulnerabilities in AppKit, CoreFoundation, the Help Viewer, Image Capture, the Mac kernel, Mail and Single Sign-on. The risks to users run the gamut from the critical "arbitrary code execution" and password exposure to cross-site scripting and denial-of-service attacks.

The majority of the 40 patches apply to both Mac OS X 10.4 (Tiger) and Mac OS X 10.5 (Leopard); separate updates are available for Intel - and PowerPC-based machines, as well as for Mac OS X Server.

Security Update 2008-002 can be downloaded manually from the Apple site, or installed using Mac OS X's integrated update service, though Leopard users won't see the update on the latter, since the security patches have been rolled into the Mac OS X 10.5.3 upgrade released earlier Wednesday.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?