Apple Patch Day: Gaping Mac OS X, Safari holes

It's Apple's turn on the Patch Day treadmill and, for Mac OS X users, it's quite ugly.As I write, Apple has released four different bulletins to cover 48 documented vulnerabilities in the Mac OS X ecosystem, a solitary code execution flaw affecting Safari for Windows and four different security problems in Java for Mac OS X.

It's Apple's turn on the Patch Day treadmill and, for Mac OS X users, it's quite ugly.

As I write, Apple has released four different bulletins to cover 48 documented vulnerabilities in the Mac OS X ecosystem, a solitary code execution flaw affecting Safari for Windows and four different security problems in Java for Mac OS X.

Security Update 2009-001 is quite a whopper, providing patches for holes in a wide range of components, including several open-source implementations like ClamAV and fetchmail.

[ How does Apple get away with this badware behavior? ]

This is a high-priority update for all Mac OS X users so don't fool around when you see that Software Update alert.  All the raw details can be found in this advisory.

If you're a Windows user and Safari is installed on your machine, pay special attention to this alert, which warns of code execution exposure on Windows XP and Windows Vista.

  • Multiple input validation issues exist in Safari's handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs.

[ Pwn2Own hacker contest targets browsers, smart phones ]

Apple also shipped a Java for Mac update with fixes for 4 more security problems:

  • Multiple vulnerabilities exist in Java Web Start and the Java Plug-in, the most serious of which may allow untrusted Java Web Start applications and untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with the privileges of the current user.