Mac News: Security: Apple Releases New OS Bug Catcher

Apple has released another set of security patches, its fifth in as many months. The computer maker, however, still has made no indication that it will move to a regularly scheduled patch release day, as Microsoft has done with its monthly Patch Tuesday. That may have something to do with Patch Tuesday's unintended consequence: Zero-Day Wednesday.

Apple (Nasdaq: AAPL) released another security update Thursday for its Mac OS X operating system to prevent certain components from crashing and protect areas deemed vulnerable.

This latest bundle of fixes marks the fifth update from Apple this year and corrects 17 bugs, some of which could permit arbitrary code executions and denial of service.

Apple recommends the security update for all Mac OS X users as it improves the security of its Berkeley Internet Name Domain (BIND), CarbonCore, crontabs,fetchmail, file, iChat, ruby, screen, Texinfo and virtual private network (VPN) components.

Update ASAP

While the bulk of the flaws corrected by Security Update 2007-005 are not deemed critical, half of them could cause the affected component to crash due to a denial of service. Five of the remaining vulnerabilities could enable an attacker to execute malicious code.

"Some these vulnerabilities are pretty serious -- allowing hackers to run code on vulnerable Mac computers without the user's permission," Graham Cluley, senior technology consultant at Sophos, told MacNewsWorld.

"For that reason, Mac users would be wise to ensure that they are updated with these security fixes as soon as possible," he added. "The good news is that Mac OS X includes functionality to automatically download security updates when users are connected to the Internet."

Bug Catcher

One of the more serious vulnerabilities dealing with the CoreGraphics component could adversely affect users who open a maliciously crafted PDF file and lead to an unexpected application termination or arbitrary code execution, according to Apple.

"By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution," the Cupertino, Calif.-based computer maker said.

Another flaw in fetchmail is updated to prevent the disclosure of fetchmail passwords. The update also corrects an issue with the file command line tool that could lead to an unexpected application termination or arbitrary code execution if users run the file command on a maliciously crafted file.

A bug in the code used to create Port Mappings on home networks in Apple's instant messaging service, iChat, and its software has also been plugged. Without the fix, a cybercriminal could send a maliciously crafted packet on the local network to trigger a buffer overflow that would subsequently allow the attacker to insert malicious code on to the Mac.

"These all seem like vulnerabilities that are, at best, moderate in severity," Andrew Jaquith, an analyst at Yankee Group, told MacNewsWorld. "All of them are either local exploits, denials of service or exploits for things that most users won't use normally.

"For example, I don't think that your normal Mac user is running a Ruby server on their desktop. None of them seem nearly as critical as the vulnerability that Dino found at CanSecWest last month, which was genuinely worrisome," he added.

The Exterminator

Thursday's security update brings the total number of vulnerabilities Apple has fixed this year to more than 100. About this time last year, the Mac maker released only three security updates. At the end of 2006, Apple released patches for 110 vulnerabilities. A lot of the fixes in this latest batch are "very new," according to Chris Rodriguez, a research analyst at Frost & Sullivan.

"A lot of them were [discovered] in late April and May," he told MacNewsWorld. "One of them was [found] in January and one dated back to December. But it shows that [Apple] is really keeping on top of this."

Unlike Microsoft (Nasdaq: MSFT) with its "Patch Tuesdays," Apple has not announced it will release its updates based on a monthly schedule. That is a good thing, according to Jaquith.

"Unfortunately for Microsoft and the Internet community at large, the bad guys often time the release of their exploits so that they occur just after Patch Tuesday -- this has given rise to the term 'Zero-Day Wednesday,'" Jaquith explained.

"Apple doesn't have the kind of enterprise presence that Microsoft does, so I don't see why it would benefit them to have regular patch release days," he continued. "Why give the bad guys another way to 'game the system?' It's clear, though, that Apple has needed to release patches more frequently than in the past."

However, the company's fifth patch this year does indicate that Apple is taking security issues which may affect its user base seriously, and is keen to issue security updates as appropriate, Cluley noted.

"As a result, it's unlikely that this will be the last security update we will see from Apple this year," he concluded.

Mac users can download the update via the automatic update service or through the Apple site.