Mac users: You have to patch too

OS X and Mac applications have security vulnerabilities too; some people still don't believe it, but it's true. Here are the latest ones and why you need to take them seriously.
Written by Larry Seltzer, Contributor

[Correction: Several mistaken cat names of OS X versions were corrected in this story. The version numbers of affected versions to have all been correct. Only the name attributions were wrong.]

The release yesterday of OS X 10.8.5 caps a a fairly busy security update season for Mac users. Yes, you thought Windows users were getting all the grief? In fact, Mac users have a lot of work to do too to keep their systems safe. And it's not just updates from Apple you need.

Along with 10.8.5, Apple released Security Update 2013-0004 for OS X 10.7 (Lion) and for 10.8 (Mountain Lion) and a separate security update for Safari for Mac on 10.6 (Snow Leopard), bringing it to version 5.1.10.

The security updates in 10.8.5 and 2013-004 address 31 separate vulnerabilities, the oldest of which was confirmed and fixed 18 months ago. Taking forever to patch vulnerabilities is common for Apple. A total of 9 vulnerabilities patched in these latest updates date from 2012, although these all seem to be in server processes such as Apache and OpenSSL.

But many are the type to affect most Mac users: Two vulnerabilities in the handling of graphic data in PDF files, both reported to Apple by Google, could result in malicious code execution simply by opening a PDF.

Another which should be of great concern is a vulnerability in sudo which was first announced in February of this year. A user with admin privileges can gain root privileges if sudo has ever been used before on the system. The nearby graphic explains more about how sudo works.

How sudo works. Credit: XKCD (http://xkcd.com/149/)

The Safari updates address multiple memory corruption errors in JavaScriptCore's JSArray::sort() method. The vulnerability only affects OS X 10.6 (Snow Leopard).

But that's just the Apple stuff. Microsoft's Patch Tuesday earlier this week had one update (MS13-073: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)) which affects Office for Mac 2011, and can result in remote code execution.

Do you use Adobe Reader or Acrobat? Flash or Shockwave? Then it's time to visit get.adobe.com to download the current versions of those products to address serious vulnerabilities in them.

Finally, there's Java. Assuming you're unwilling to remove Java from your system and not look back (that would be the best option), you should update ASAP to the latest build, Java 7 Build 40 (32-bit, 64-bit). In order not to be vulnerable to attack.

And yes, there really are attacks out there against Macs which exploit vulnerabilities. Intego, a Mac security company, recently wrote up a malicious program which exploits Java vulnerabilities.

Editorial standards