Apple (Nasdaq: AAPL) 
released its first security 
update for 2008 late Monday, correcting vulnerabilities in OS X Leopard and Tiger. Mac OS X 10.5.2 and Security Update 2008-001 correct 11 flaws in applications such as Time Machine, Parental Control, Mail and Safari.
Also included is a patch for a directory services vulnerability that was listed in the "Month of Apple Bugs" project, released in January 2007. Originally reported by Kevin Finisterre of Netragard, the bug could cause a stack overflow that could allow a local user to execute arbitrary code with system privileges. The security hole does not affect Leopard users, Apple said in the update.
"Since this vulnerability is one of privilege escalation, an attacker would already have to have access to or a login for the computer in order to exploit it. That, obviously, limits the usefulness of this particular vulnerability to attackers," explained Richard Wang, U.S SophosLabs manager .
"On paper, [the long wait for the fix] may seem egregious. But Apple took a calculated risk by not releasing a fix while they were working on Leopard, and they got lucky," said Chris Rodgriguez, a Frost & Sullivan analyst.
Despite the year-long wait for a patch, Wang also noted that there have not been any sightings of cybercriminals using the flaw.
"We have not seen any instances of exploits of this vulnerability," he told MacNewsWorld.
Plugging Holes
Among the 11 flaws patched by Apple's latest update, those found in Mail and Foundation are considered the most pernicious of the bunch, as they allow for the arbitrary execution of code, according to Wang.
"Vulnerabilities that allow arbitrary code execution are the most dangerous. These are the types of vulnerabilities that remote attackers typically try to exploit in order to gain control of a computer," he told MacNewsWorld.
Bugs in Apple's Terminal could also lead to arbitrary code execution if hackers are able to entice a user to visit a maliciously crafted Web page. The hole could allow an attacker to cause an application to be launched with controlled command line arguments, which could lead to arbitrary code execution.
The threat of arbitrary code execution also extends to devices. The foundation flaw, in addition to affecting Leopard and Tiger, is also considered a high risk on iPods and iPhones, according to IBM's (NYSE: IBM) Internet Security Systems (Nasdaq: ISSX) .
"That's interesting as well," Rodriguez said.
The company recommends that users upgrade to the latest version of Apple iPod touch and Apple iPhone 1.1.3 or later. Mac users will also need to download the 2008-001 security update.
While it may not pose the same level of risk for Mac users, the Parental Controls flaw could result in the unwitting disclosure of the application's settings when users who are trying to manage Web content unblock a Web site. Parental Controls will automatically contact Apple, potentially alerting a remote user to machines using the application. The update addresses the issue by removing the outgoing network traffic when a Web site is unblocked, according to Apple.
"Anytime there's information disclosure, it's serious but not as serious as something that allows arbitrary code execution. Those are the worst," Rodriguez explained.
Update, Update, Update
The remaining flaws may not pose a serious risk to Mac users; however, they'll still need to install the update to correct Launch Services in Time Machine, Open Directory, Samba and Unix component-related vulnerabilities.
Wang's advice to Mac users is the same as that for other computer users:
- Keep your software up-to-date
- Use security software
- Be cautious online
- Don't make the mistake of assuming that avoiding Microsoft (Nasdaq: MSFT) Windows protects you from attack
Mac users can download the update using Software Update or directly from Apple's download site.
Talkback: 
