Headline Feeds
Apple (Nasdaq: AAPL) released a second AirPort Extreme software update late Thursday night. The computer maker issued the first release January 25, after the "Month of Kernel Bugs" blog disclosed the problem in November 2006. The fix is recommended for "all Intel-based Macintosh computers."
The patch weighs in at a hefty 6.5 MB and contains the fix released in January as well as a new component that contains a compatibility fix for a WEP (wired equivalent privacy) issue that came up after the original Airport Extreme release, Rich Mogull, research vice president for Information Security and Risk told MacNewsWorld.
"The security patch is the same one from 2007-001; they are just re-including the same fix and recommending people skip 001 and go to 002 if they still need to patch," he said. "Thus, this is more a patch to fix a compatibility issue than the security issues."
A Buggy Affair
The previous security update corrected a flaw that affected the way the AirPort Extreme driver handles wireless frames. At the time, the Apple alert stated that an out-of-bounds memory read could occur as a result. The impact of such an attack on a wireless system could cause it to crash.
"An attacker in local proximity may be able to trigger a system crash by sending a maliciously-crafted frame to an affected system," the alert said. The vulnerability was patched "by performing additional validation of wireless frames."
The problem was of particular concern, according to Mogull.
Following the release of the first patch, Mogull said an attacker would not need to be in physical proximity to the victimized system, but only needed to be within range of the wireless signal in order to send a malicious wireless packet.
"If anyone hasn't patched for the security flaw, it's definitely mandatory," Mogull explained. "But for those not experiencing problems with third-party access points, and already patched with 2007-001, it's not as important."
Slow Uptake
The nearly six-week time lapse between the release of the original update and the second could be attributable to an apparent increase in the uptake by users gravitating toward WiFi enabling devices, according Sophos security analyst Ron O'Brien.
"We saw them at Christmas, then saw them a little bit more after Christmas, and it is just becoming more widely accepted than before, when it was an 'I don't know if I want to do this' kind of thing," he told MacNewsWorld.
Another reason for the double release is that Mac users have been relatively lackadaisical about installing security updates, Rob Ayoub, an analyst with Frost & Sullivan, told MacNewsWorld.
Windows users have been beaten over the head with warnings about not installing needed updates. As a result, they have become much more cognizant about security updates and more vigilant in ensuring that they are installed in a timely manner.
Ayoub said that while the first update was definitely the more important of the two security releases, Apple's decision to include all of those fixes plus the compatibility fix indicates that not enough "Macolytes" downloaded the original patch.
"We still haven't seen the uptake in the Apple community for keeping their machines up to date as we have seen in the Windows community," Ayoub said. "And so, you could speculate that while there were some issues in with the first release, that part of why they did a re-release was to bring it to the attention of Mac users.
"They are releasing it again to try to raise visibility and hopefully encourage users to update," he opined. "[Apple users] are not traditionally as good at updating as their Windows counterparts."
Control Issues
Although many in the Mac community could seemingly go on for days regaling Windows users on the relative superiority of the Mac-based versus a Windows-based PC, one thing that Apple has not worked out is a system for automatic updates.
"With Apple, you can schedule an update to install but I don't think they have a default setting for automatic updates," stated Ayoub. "Windows has gotten the updating down to where it really runs in the background without user knowledge or intervention," he said.
Microsoft (Nasdaq: MSFT) routinely releases needed security and other patches on so-called "Patch Tuesdays," normally the second Tuesday of the month. With a much broader user base than the Apple, Ayoub said, Microsoft had to come up with something.
"Apple somehow needs to eventually get there," he added. "Right now, they are still relying on people to go out and manually get updates or at least manually click on the software update within Mac OS X. And as Macintosh becomes more popular, there will be an increased threat to their machines.
"Users will have to become more educated and [there will have to be] more software update mechanisms in the Mac OS," he concluded
With users downloading software so their machines to handle the early switch to daylight saving time this Sunday, Sophos' O'Brien urged consumers who have kept their computers up-to-date to use the opportunity to download missing patches and other software.
"Bottom line -- whatever operating platform you are using, keeping it updated with patches is critical," O'Brien added. "We are recommending that this would be a good time to make sure that any and all security updates have been installed, and also that they're antivirus software definitions are up-to-date."
Talkback: 
