Mac users: You have to patch too

Mac users: You have to patch too

Summary: OS X and Mac applications have security vulnerabilities too; some people still don't believe it, but it's true. Here are the latest ones and why you need to take them seriously.

TOPICS: Security

[Correction: Several mistaken cat names of OS X versions were corrected in this story. The version numbers of affected versions to have all been correct. Only the name attributions were wrong.]

The release yesterday of OS X 10.8.5 caps a a fairly busy security update season for Mac users. Yes, you thought Windows users were getting all the grief? In fact, Mac users have a lot of work to do too to keep their systems safe. And it's not just updates from Apple you need.

Along with 10.8.5, Apple released Security Update 2013-0004 for OS X 10.7 (Lion) and for 10.8 (Mountain Lion) and a separate security update for Safari for Mac on 10.6 (Snow Leopard), bringing it to version 5.1.10.

The security updates in 10.8.5 and 2013-004 address 31 separate vulnerabilities, the oldest of which was confirmed and fixed 18 months ago. Taking forever to patch vulnerabilities is common for Apple. A total of 9 vulnerabilities patched in these latest updates date from 2012, although these all seem to be in server processes such as Apache and OpenSSL.

But many are the type to affect most Mac users: Two vulnerabilities in the handling of graphic data in PDF files, both reported to Apple by Google, could result in malicious code execution simply by opening a PDF.

Another which should be of great concern is a vulnerability in sudo which was first announced in February of this year. A user with admin privileges can gain root privileges if sudo has ever been used before on the system. The nearby graphic explains more about how sudo works.

How sudo works. Credit: XKCD (

The Safari updates address multiple memory corruption errors in JavaScriptCore's JSArray::sort() method. The vulnerability only affects OS X 10.6 (Snow Leopard).

But that's just the Apple stuff. Microsoft's Patch Tuesday earlier this week had one update (MS13-073: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)) which affects Office for Mac 2011, and can result in remote code execution.

Do you use Adobe Reader or Acrobat? Flash or Shockwave? Then it's time to visit to download the current versions of those products to address serious vulnerabilities in them.

Finally, there's Java. Assuming you're unwilling to remove Java from your system and not look back (that would be the best option), you should update ASAP to the latest build, Java 7 Build 40 (32-bit, 64-bit). In order not to be vulnerable to attack.

And yes, there really are attacks out there against Macs which exploit vulnerabilities. Intego, a Mac security company, recently wrote up a malicious program which exploits Java vulnerabilities.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's a fact...

    Every software, whether open or closed source, free or commercial, has security vulnerabilities that need patching and updating, but most users of open source and free software willingly ignore this because they live in the mist that their software is invulnerable to malware and bugs. Too bad for them, because they learn they're wrong the hard way.
    • And I know...

      Mac OS X isn't free, but because it's a UNIX-like operating system, some people seem to believe it's one of the most secure operating systems in the market, which is a lie. In fact, I would say Mac OS X is the least secure operating system in the market.
      • MacOSX is Unix(BSD), not Unix like.

        As software gets more complex, there are more chances of security loopholes in code. MacOS or Linux for that matter, may have very good security built into the "foundation" kernels, but as you keep adding more to the UI or functionality, there are always chances that something could be left untested for security. Still, the MacOS, Linux or any Unix (MacOSX is Unix too) has security built in, it is not an after thought and definitely better than what Windows offers. MacOSX is based on the BSD kernel and is pretty secure as far as the main kernel goes. BSD has been quite secure compared to Windows any day.
      • The Uninvited Expert

        What defines the "market?" Items that are available for license to users of any hardware that could be considered a pc? Well, OS X falls out because we know it is not licensed for those who do not own an Apple machine.

        Is the market better described as the install base among pc users, and so to exclude things like Windows 98, we set a usage threshold. If it's an os that more than 10% of the current users have installed, then OS X again falls out. So let's drop it to 5%, but that also brings in XP and Vista. (XP is the second most used os, so it was there at 10%.) Recent OS X releases are more secure than XP. To argue otherwise is to proudly wear the shirt of a Windows fan beyond reason.

        But who attacks the os? Malware vectors are primarily social engineering hacks, or attacks on complex add-ons that users have so as to gain functionality from network accessed resources. Flash, java, phishing, these are the problems because they reside in the zone between the trusted application and the unduly trusted outer world. The os is abstracted.

        Going back to your assertion, yeah even if you're right, so what? I'm going to respend thousands of dollars, commit to hours of research to find the best replacements for OS X only software I use, and say farewell to the Unix tools I love because leonsk29 wants to scare me away from OS X, as he begs the question that anyone offers security at zero-cost.

        Security is inverse to functionality. Now we are grown-ups and we understand that going to resources controlled by others is at some level insecure, yet here I am on a web page which makes its living by pulling in resources from sources the website supposedly trusts and downloads them onto my machine. First step in increasing my security? Don't visit the web. But, I don't want to give that up, so I come here, hope for the best, but have some expectation that one day it will turn out bad. The day I may lose in doing clean-up is the deferred liability for the things I want to do. I accept the risk and understand the cost.

        One mitigation? Maybe my os is out of favor for the malware writers or has new armor, but I think that as time passes the range of attack vectors increases, so that is hardly reassuring. Still, updating when possible is something I should do and recommend. (And, even as I click the install button, I make the quick wish that the update doesn't break something, as some of Apple's have, and as happened earlier this week with a Microsoft Outlook update.)

        One thing that does not help is the advice of folks who point to an os and squeal their derision. What are your credentials? What are your failures that you learned from? What is your perspective, metrics, and quantification on how bad the worst os on the market is? Besides, who really cares, except for those who want to put on paper hats and play os wars. There was a day when Windows was nowhere near the top in terms of security. Remember Windows 98 and the ping of death? People still bought Windows because, and this is the key point, security is not the primary consideration for choosing an os.
      • Don't know which open source users you are talking about.

        All the open source people I know can't wait for updates.
        The only open source users I know of that don't update are open source dabblers that primarily use Windows.
  • Why bother with Mac?

    I find it astonishing that hackers and malware coders waste their time on Mac -- an OS which after all these years has barely scraped past 5% market share -- but they do.
    Tim Acheson
  • Wow really?

    Apple has been releasing security patches whenever they find something they need to patch, but they certainly have a much better track record of not having as much malware as Windows or Android.
    • Let's Put Blame or Responsibility Where It Belongs

      It's the people who attack who choose attack points. It's an economic decision and simply put is cost versus benefit. As far as the vendors go, the choices they make weigh customer benefit and customer risk, though it's up to the customer to research and understand the risks.

      Look at it this way. The contractor sells a house with windows, and points out to the buyer that on hot days the windows can be opened to cool the house down. Open windows increase the risk of burglary and the home owner weighs the comforts of a breeze with the risk of loss.

      The negatives you reference are not really controlled by the vendors. That would be like saying different window makers could be scored as to how often they are a means of entry in a burglary. Some have better locks for when they are closed, but, generally, those windows cost more. And the locks have to be set and used properly. User choices and user bad luck are more important than the vendor's platform.

      If one is truly worried about the allegations that there is more malware in Google's store, but that phone is the right price and right interface, then get the Android phone and don't install any apps.

      And, oh yes, install updates when available.
  • Acrobat is relatively rare on Macs

    unless you are running Adobe Creative Suite. Macs display PDF natively (the GDI is Display PDF), and do not need a reader.
  • Re: Mac users: You have to patch too....

    If there was ever a title to drag out the Windows trolls then it has to be this one.

    It has never been suggested by any regular Mac user that it is impervious to security threats. As with all platforms patches are essential to address security breaches. That being said I can still confidently run a Mac without any Antivirus software installed.
    • Hahaha, now the Mactards are denying their tongues

      Mactards kept claiming Macs are immune to malware up until 2011, during which the spotlight was shined on Apple's scam of Macs being immune to malware, now Mactards are denying they ever claimed it. Typical hypocrites; like manufacturer like illiterate users.
  • Not only do I rarely patch my Mac...

    ... This particular instance has been running for nearly *90* days without a reboot on my rMBP. Flash in chrome quit working about a month ago but it still hasn't been enough to get me to re-boot (I just open the flash things I want in FireFox). And yes, the constant Apple nag in the upper righthand quadrant now never disappears for more than 5 minutes at a time.

    last reboot
    reboot ~ Wed Jun 19 15:01
    reboot ~ Fri Apr 5 00:50
    reboot ~ Fri Apr 5 00:50
    reboot ~ Wed Mar 6 23:13

    Yes, I'm an awful Mac user LOL.
    • And?

      I could easily go 90 days on my Windows systems if I didn't patch them.
  • MS patching is

    a COMPLETE REWRIGHT of the OS!! XP had patches that amount to 3 TIMES the SIZE of the OS!! Only in Microsoft are the patches biger than the actual product :-) ahahaha
    Sbb Kbb
    • A few comments

      1) We're not talking about Microsoft in general, or XP in particular.

      2) Are you talking about the total size of all the patches put together, or a particular single patch? Also consider that the "shelf life" of XP has been about 12-13 years, whereas most versions of OS X are not supported for nearly that long.
      Third of Five