Apple Issues Fourth Security Update in as Many Months

Apple (Nasdaq: AAPL) issued a whopper of a security update Thursday for its Mac OS X. The update contains fixes for 25 security flaws in the operating system.

This most recent update marks the fourth Apple has released in 2007. In March, the computer maker released an update to repair 45 security vulnerabilities in the OS. During the first four months of 2006, the Mac maker released just two Mac OS X updates.

"There have been a lot of patches and a lot of pressure put on Apple in the last year," Rob Ayoub, a senior analyst at Frost & Sullivan, told MacNewsWorld. "It show a couple of things. One, the increased popularity of Apple [computers]. And, two that they have taken a much more serious stance on security and they are addressing a lot of bugs."

Security Alarm

The security update deals with a flaws throughout various areas of the Mac OS X operating system, such as Login Window issues that could allow a local user to obtain system privileges, bypass the screen save authentication dialog or bypass the login window authentication.

Other problems concern third-party components, including Kerberos authentication technology. Running the application's administration daemon could lead to arbitrary code execution with system privileges or an unexpected termination of the application.

The most critical flaws could enable an attacker to take complete control of an unpatched Mac, according to the security advisory. Three of the patches scored between a seven and an eight on the CVSS (common vulnerability scoring system) scale, a recognized tool used to measure the severity of vulnerabilities.

"A high score means [the vulnerability] is remotely exploitable without the user doing anything," Ayoub explained. "Lower scores require users to be on the keyboard.

"For this case, there are still some that are critical, but it is really only three out of the 25 that are really critical," he added.

"The bugs tackled by the security patch are serious," Graham Cluley, senior technology consultant at Sophos, told MacNewsWorld.

Secure Feeling

The Month of Apple Bugs (MoAB), a blog that marked each day in January by exposing another Apple flaw, is one reason that Apple has released so many fixes this year. Three of the zero-day bugs contained in the update were revealed during MoAB.

"Part of the reason we've seen so many fixes is that there was a rash of vulnerabilities reported as part of the Month of Apple Bugs publicity stunt," Andrew Jaquith, senior analyst at Yankee Group, told MacNewsWorld. "Quite a few of the fixes in these two batches close holes introduced by that project."

Apple patches tend to receive less publicity than those from archrival Microsoft (Nasdaq: MSFT), Cluley explained, possibly because hackers are much more likely to target Windows users than Apple users. It is inevitable that the more actively and widely attacked Windows will steal more of the headlines.

However, the good news for Apple users, Cluley continued, is that they are not on the front line when it comes to cybercrime. Most hackers continue to target Windows users, many of whom have done and are doing a poor job of keeping their own security patches up-to-date.

This doesn't mean Apple owners can relax their guard, Cluley warned. "Apple doesn't put out security bulletins like this for fun, but because it is concerned that hackers could exploit a problem with their software." Mac users need to ensure that they are keeping up-to-date with the latest security patched and not allow themselves to be lulled into a false sense of security.

"No operating system is 100 percent secure," Cluley said. "And this is a salutary reminder to Mac users that -- although Windows gets attacked more often by malware -- they are not invulnerable themselves."