Apple fixes Flash snafu in Snow Leopard, patches 33 bugs in Leopard

Mac users get third and fourth updates this week, but Safari may be next, says researcher

Less than two weeks after Apple launched Snow Leopard, the company today issued the new operating system's first security update. In a separate upgrade, Apple patched 33 vulnerabilities in 2007's Leopard, and about half as many in the even older Tiger.

Today's updates were the third and fourth from Apple in the last two days. Wednesday, Apple delivered security fixes for the iPhone and iPod Touch, as well as another upgrade for its QuickTime media player.

"It's another sneak attack," said Andrew Storms, director of security operations at nCircle Network Security, referring to the string of updates. "Actually, it's almost what we've come to expect from Apple," he added.

Unlike rival OS maker Microsoft, which releases most of its security upgrades on a pre-set monthly schedule, Apple ships its patches whenever they're ready to go out the door.

The Snow Leopard 10.6.1 update's security content consisted solely of an upgrade for Adobe's Flash Player, which was bumped to the up-to-date version

Users and security researchers had taken Apple to task for not only shipping Snow Leopard with an outdated and vulnerable version of Flash Player, but also for silently "downgrading" once-secure editions when Macs were updated to the new operating system.

Mac OS X 10.6.1 packaged nine patches for Flash vulnerabilities, some of which could result in "arbitrary code execution," Apple-speak of a critical flaw that attackers could exploit to grab control of a Mac.

According to the corresponding Adobe security advisory, six of the nine flaws could be considered critical.

Apple released the first update for Snow Leopard less than two weeks after it debuted the operating system on Aug. 28, a slightly faster pace than in 2007, when Apple took about three weeks to issue the first security update for Mac OS X 10.5, aka Leopard.

Adobe updated Flash Player to in late July to plug a dozen vulnerabilities, including three inherited from flawed Microsoft development code -- obviously, those were not present in the Mac version -- and one that hackers had been exploiting for at least a week, which did apply to the Mac.

"Having to release a whole OS update just to patch one third-party component, that's a bit heavy-handed," said Storms. "Apple had to go through one whole engineering cycle to fix Flash."

As if to echo Storms' point, Apple noted that the 10.6.1 update -- which admittedly includes fixes for eight non-security issues -- tipped the scale at 75MB.

The Security Update 2009-005 for Leopard and Tiger was more traditional, patching 33 vulnerabilities in the former and 16 in the latter. Of the 33 bugs in Mac OS X 10.5, Leopard, 23 were tagged with Apple's "arbitrary code execution" phrase; 14 of the 16 flaws in Tiger were pegged the same way.

Among the components patched in 2009-005 were ClamAV, the open-source antivirus scanner bundled with Apple's server software; CoreGraphics; the Apple-developed-but-open-source CUPS printing system; Launch Services; MySQL; the PHP scripting language; and SMB (Server Message Block), the file- and print-sharing protocol Macs use to access Windows-based networks.

Two of the vulnerabilities could be triggered by duping users into visiting rigged Web sites, said Apple, while a number of others, including flaws in ColorSync, CoreGraphics and ImageIO, could be exploited by attackers who serve up malformed image, PDF or PixarFilm-encoded TIFF formatted files.

Storms focused on the six patches for PHP, which updated Leopard's version of the scripting language to 5.2.10. "PHP [5.2.10] was released in June," Storms said. "Apple either needs to close this [time] loophole, or distance itself from bundling third-party and open-source components."

Apple has taken heat, from Storms as well as other security experts, for its sometimes-sluggish pace of rolling third-party updates into its operating system. It took Apple until mid-May, for example, to include Flash Player, the version Adobe released in late February, with a Leopard security upgrade.

Also included in the Mac OS 10.6.1 update were at least eight fixes for non-security bugs, Apple said in a separate support document. Among them was one that "addresses an issue in which some printer compatibility drivers might not appear properly in the Add Printer browser," said Apple.

The company today pushed out an additional update that boosted the number of Hewlett-Packard printer drivers.

Both were in reaction to complaints by users that they weren't able to operate some HP printers after upgrading to Snow Leopard.

Storms said it was possible that today's updates weren't the last for the week.

"They've updated the iPhone, QuickTime and OS X. A new iTunes has just come out, and it's likely there were some fixes in that, too. The only thing that's left is Safari," he said, noting that Apple's browser has been patched every month since May, each time in the first or second week of the month.

Mac OS X 10.6.1, the 2009-005 security update and the updated HP printer drivers can be downloaded from the Apple site or installed using the Mac's integrated update service.

Join the PC World newsletter!

Error: Please check your email address.

Tags Applemac bugssnow leopardMac OS Xflash

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?