Apple Patch Day: 67 Mac OS X, Safari vulnerabilities

Apple Patch Day: 67 Mac OS X, Safari vulnerabilities

Summary: On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows).

SHARE:

On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.

The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows).

The OS X update covers flaws in 31 different components, including several known (and dated) issues in open-source packages used by Apple. These include vulnerabilities in Apache, BIND, CUPS, OpenSSL, PHP and Kerberos.

The update also fixes what Apple describes as "arbitrary code execution" vulnerabilities in ATS, CFNetwork, CoreGraphics, Cscope, Disk Images and Spotlight.

The full list of affected software, components and discussion of risk is available on Apple's support site.

Separately, Apple shipped new versions of its Safari 3 and Safari 4 (beta) browsers to cover the following issues:

  • libxml (CVE-2008-3529) A heap buffer overflow exists in libxml's handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.  Affects both Mac OS X and Windows XP and Vista.
  • Safari (CVE-2009-0162) Multiple input validation issues exist in Safari's handling of "feed:" URLs. Accessing a maliciously crafted "feed:" URL may lead to the execution of arbitrary JavaScript. This update addresses the issues by performing additional validation of "feed:" URLs. These issues do not affect systems prior to Mac OS X v10.5.  Also affects Windows XP and Vista.
  • WebKit (CVE-2009-0945) A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking.  Apple credits security researcher "Nils" for reporting this issue, suggesting it is the flaw exploited during this year's CanSecWest contest.

Topics: Apple, Hardware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

122 comments
Log in or register to join the discussion
  • How about being a real journalist

    and giving us a count of patches in third-party open source components
    as opposed to actual OS X patches.

    One of the big complaints against Apple is that they are slow to update
    open source patches. So instead of tossing around cute little propaganda
    phrases like whopper, how about some actual journalism.
    frgough
    • Your so funny

      You don't seem to care about 'actual journalism' when it comes to MS patches.
      Must be the shill in you.

      mdemuth
      • A Plague on Both Houses

        Microsoft patches the third party software they include, like Bash,
        OpenSSL? No. Not included, never patched, no discrimination between
        home grown and third party foss packages needed for Microsoft patch
        reporting.

        Meanwhile, isn't the distinction between third party and home grown for
        Apple a tad academic, and, whether you agree, easily figured out any
        way?

        I thought this was a good article. Now off to download.
        DannyO_0x98
      • Um hes funny but Accurate

        Apple is still riddled with security holes, especially when it comes to Safari and many other 3rd party products that MS has no problem showing details for when it releases its patches on Tuesday.

        MS is consistent, usually transparent, and delivers patches, regardless of mactard propaganda, every Tuesday.

        All while mactards try to defend their security flawed OSX.

        Yeah EXTREMELY funny!

        I love how the retarded editor calls powerpoint GAPING holes (even when just found and immediately patched)... while Apple is finally being diligent about some OLD security flaw. And Apple still has more to go!
        JABBER_WOLF
        • Lord

          Good God what is wrong with you people? Are you all like this in real life? Must make the 6th grade hard for everyone else.
          mojorison679
          • Well Said!

            Thanks for calling these people out. It's hysterical how they use these forums for calling each other names. It's like "My OS can kick your OS's butt. So there, nana nana nana."
            Ridiculous.
            iamagas
          • LOL! I concur! (nt)

            nt
            midenginedrift
          • LOL! I concur!

            Yeah. Bunch of socially retarded, aluminum foil hat wearing, to long off of their meds looneys!!!
            richdave
    • Whopper?

      I failed to see the phrase "whopper". Maybe when you learn to read, he can revise his writing habits.
      bbonis
    • Nice insulting subject line there

      and first out of the gate! Seems someone has struck a defensive nerve.

      And why would they count open source components? Common sentiment around here suggests that no one uses those.

      :o)
      Jack-Booted EULA
  • RE: Apple Patch Day: 67 Mac OS X, Safari vulnerabilities

    Worthless drivel, oh well its ZD net.
    thomcarl
    • ZDNet

      Did you expect otherwise?
      OracleOfReason
      • Well....

        Why the hell bother come to the site to read the articles and comment on them as well if you don't like the site you morons?

        Don't like something? Don't use it. Do you eat food you hate and moan about it all the time? No?

        Well don't bother coming on this site and posting rubbish and clogging up blogs and comments sections with worthless posts that serve no purpose what so ever.
        Average-IT-Guy
  • Don't worry, many patches == secure operating system

    according to the US Army.

    We should be thankful that Apple put in so many
    vulnerabilities in the first place. That way
    they can keep being a secure OS year after
    year.
    honeymonster
    • Yes, they do.

      Apple also fixed or improved...

      http://macdailynews.com/index.php/weblog/comments/21101/

      [i]Address Book
      - Improves reliability of Address Book syncing with iPhone and other devices and applications.

      AirPort
      - Improves the reliability of AirPort connections, including improvements when roaming in large wireless networks with an Intel-based Mac.

      Client management
      - Improves reliability of synchronizing files on a portable home directory.
      - Fixes an issue in Mac OS X 10.5.4 and 10.5.5 in which managed users may not see printers that use the Generic PPD.
      - Client computers that use UUID-based ByHost preferences now respect managed Screen Saver settings.

      iChat
      - Addresses an issue that could cause an encryption alert to appear in the chat window.
      - Setting your iChat status to "invisible" via AppleScript no longer logs you out of iChat.
      - Resolves an issue in which pasting text from a Microsoft Office document could insert an image rather than text.

      Graphics
      - Includes general improvements to gaming performance.
      - Includes graphics improvements for iChat, Cover Flow, Aperture, and iTunes.
      - Includes fixes for possible graphics distortion issues with certain ATI graphics cards.

      Mail
      - Includes overall performance and reliability fixes.
      - Improves Connection Doctor accuracy.
      - Fixes an issue that could cause messages identified as junk to remain in the inbox.
      - Fixes an issue that could cause Mail to append a character to the file extension of an attachment.
      - Addresses an issue that could prevent Mail from quitting.
      - Improves reliability when printing PDF attachments.

      MobileMe
      - Contacts, calendars, and bookmarks on a Mac automatically sync within a minute of the change being made on the computer, another device, or the web at me.com.

      Networking
      - Improves Apple File Service performance, especially when using a home directory hosted on an AFP server. Important: If you are using Mac OS X 10.5.6 (client) to connect to a - - Mac OS X Server 10.4-based server, it is strongly recommended that you update the server to Mac OS X Server version 10.4.11.
      - Improves the performance and reliability of TCP connections.
      - Improves reliability and performance for AT&T 3G cards.
      - Updates the ssh Terminal command for compatibility with more ssh servers.

      Printing
      - Improves printing for the Adobe CS3 application suite.
      - Improves printing for USB-based Brother and Canon printers.

      Parental Controls
      - Addresses an issue in which a parentally-controlled account could be unable to access the iTunes Store.
      - Includes general fixes for time limits.
      - Resolves an issue that prevented adding allowed websites from Safari via drag and drop.

      Time Machine
      - Fixes issues that could cause Time Machine to state the backup volume could not be found.
      - Improves Time Machine reliability with Time Capsule.

      Safari
      - Improves compatibility with web proxy servers.

      General
      - Includes Mac OS X security improvements. See this website for more information.
      - Addresses inaccuracies with Calculator when the Mac OS X language is set to German or Swiss German.
      - Improves the performance and reliability of Chess.
      - Improves DVD Player performance and reliability.
      - Performance improvements for iCal are included.
      - Fixes an issue when running the New iCal Events Automator action as an applet.
      - Adds a Trackpad System Preference pane for portable Macs.
      - Improves compatibility with smart cards such as the U.S. Department of Defense Common Access Card.
      - Updates time zone data and Daylight Saving Time rules for several countries.[/i]

      ---

      How many patches from Microsoft actually makes Windows faster? And how often does Microsoft release patches for 3rd party apps & components?

      And this is OS X 10.5.7. Meaning that there's only been 7 of these since Leopards release. Most admins are angry that Apple doesn't release patches as soon as they're ready instead of lumping them together. For me, I'm happy that I'm not having to deal with patches every single week like I do on my Vista machine.
      ashdude
      • @ashdude

        Actually, releasing patches asap is better than waiting. Most of these vulnerabilities are fairly dated. Over a week old and you can find them on the net. Which means your secure computer is open to attack. Quite a few people dislike MS patches and only do it every now and then but.. Heard of Conficker? Biggest worm ever? It exploits a vulnerability in Windows that MS patched more than a week before the worm came out. The worm infected millions of computers.. Just you wait.. One day Apple will have a decent market share and be used by businesses. Then you'll find out why security through obscurity is such a bad idea.
        Chrissd
        • If Mac malware becomes a serious issue, they probably will..

          ... start releasing patches ASAP. But I still prefer the bundles. That way I can wait to see if the patch will break anything. So far, none of Leopards patches have broke anything, but you can never be too careful.

          I can remember back in the late 90's, System 7.5 had an update that totally killed my work's Mac's. And there was no easy way to remove an update back then so it was re-install time in the artroom! LOL. Anyway, I'm thinking that it was System 7.5.4 that did the dirty deed. And Apple did remove 7.5.4 later that day, but it was still a tad too late to save us.
          ashdude
      • Patching every week?

        Not sure I understand. The only weekly patch I may see if windows defender sig updates and that takes like 2 seconds to install itself. There hasn't been all that many critical patches for Vista and 2008. Actually I have the original Feb. '08 copy of Server 2008 and I just installed another server the other day and there is only 27 patches all together for Server 2008. Thats over a year and 2 months now and only 27 patches with only a handful of critical ones.

        Keep spouting your lies if it makes you feel better, but go get the facts and realize that Vista and Server 2008 are much more secure than OSX. I would rather have patches sooner than later and I don't let patches ride, its just not good common sense to do so. Apple fanboys are so clueless, they don't understand computers from a toaster it seems.

        But give me a break your statement of patching every week just proves that you are completely clueless or just a plain liar? Please try to speak to some fact over your emotional facts.
        OhTheHumanity
        • I take that back......

          No updates for Windows Server 2008 rated critical. None zip zero zilch. So tell me again why Vista and 2008 are so insecure. Seems to me as the critical updates keep rolling out for older versions Vista and 2008 are standing pretty strong against attacks. No big patch batches going on over here. Looks to me like Windows is moving in the right direction.
          OhTheHumanity
        • REALLY you that fooled?

          Why not look at Every security competition that is held with OSX Linux and Windows.


          OSX is the first hacked .. sometimes within minutes!!!

          So while someone consistently keeps security up-to-date... you cheer the company that puts its head in the sand and pretends problems dont exist and then has a patch to fix year old security flaws??

          And yes OSX does have a patch update manager as well, are you really that stupid not to notice??!?!
          JABBER_WOLF