Apple Update Patches 13 Flaws
Apple has issued a bundle of security fixes to mend 13 separate security flaws in several versions of its Mac OS X operating system, including quite a few holes that attackers could use to seize control over vulnerable machines.
Nine of the 13 vulnerabilities reside in various Web-facing applications, including the Apache Web server. Two other flaws were found in Apple programs that process secure sockets layer
transactions, which are designed to provide communications privacy over
the Internet, usually at sites that require sensitive information, such
as credit card numbers, user names and passwords.
Another pair of vulnerabilities reside in Safari, Apple's default Web browser. Other flaws could be exploited by convincing the user to browse a site with a specially crafted domain name or an overly long Internet address.
Before I launch into what will certainly be a flame-inducing rant: The patches apply to versions 10.3.9 and 10.4.3 of Mac OS X and OS X Server. Mac users can download the fixes via Software Update or manually from Apple Downloads.
Each time Security Fix posts information about patches, we almost always hear from a bunch of Apple users who invariably leave comments like, "Buy a Mac, and get a life," or "Humbug! Nobody's attacking Macs, so it doesn't matter how many dang patches are issued." Well, maybe, maybe not.
But over the weekend I found myself stuck in a local mall with
hordes of bargain-hunting shoppers, and noticed for the first time a
truly massive new Apple store where an old clothier used to be.
There were so many people in that place that I thought the dozens of Mac machines whirring atop gleaming white towers throughout the store were going to melt or burst into flames -- the temperature in that place was easily 10 to 15 degrees warmer than any other store I'd been in. There could not have been enough machines in the stockroom to satisfy all the customers jostling for a chance to play with the computers.
Fact: Macs are coming down in price. Fact: More people are fed up with the incessant viruses, spyware etc. on Windows that switching to a Mac is more appealing than ever. My hunch: 2006 may turn out to be the year we start seeing a significant growth in the Mac user base, and with it, if not Mac viruses or worms, then at least some automated tools for attacking various Mac vulnerabilities.
I'm willing to bet that there are plenty of Mac users still running older or at least unpatched -- and unfirewalled -- versions of OS X (10.3.x). Take a growing user base and combine that with the complacency that comes with not having to fend off constant attacks, and it seems to me you have a fertile stomping ground for attackers.
For a long while, Firefox users touted their favorite browser as a more secure alternative to Internet Explorer. Now that Firefox has gained close to a 15 percent market share, we have started to see more and more security researchers and attackers focusing their attention on it.
At least two of the Mac vulnerabilities detailed today involve system processes that normally aren't allowed to modify settings -- but the programs, if tweaked the right way, could allow attackers to elevate their privileges on the affected machines. Combine those types of flaws with a slew of vulnerabilities that are exploitable via various Web applications and things could start to get nasty for Mac users.
Then again, I'm no Mac expert. Just go and download your patches already. And let the flame wars commence.
Posted by: Chris | November 30, 2005 8:47 AM | Report abuse
Posted by: Bk | November 30, 2005 8:58 AM | Report abuse
Posted by: bobalu | November 30, 2005 9:21 AM | Report abuse
Posted by: Bob | November 30, 2005 9:21 AM | Report abuse
Posted by: Tiffany | November 30, 2005 10:02 AM | Report abuse
Posted by: Al | November 30, 2005 10:03 AM | Report abuse
Posted by: Glenn Fleishman | November 30, 2005 10:15 AM | Report abuse
Posted by: Brad | November 30, 2005 10:43 AM | Report abuse
Posted by: Joe Kerr | November 30, 2005 11:57 AM | Report abuse
Posted by: Toby | November 30, 2005 12:50 PM | Report abuse
Posted by: Pete | November 30, 2005 1:07 PM | Report abuse
Posted by: Pete | November 30, 2005 1:18 PM | Report abuse
Posted by: Al | November 30, 2005 6:07 PM | Report abuse
Posted by: Chris | November 30, 2005 8:35 PM | Report abuse
Posted by: Will | November 30, 2005 9:01 PM | Report abuse
Posted by: Mark Odell | November 30, 2005 11:38 PM | Report abuse
Posted by: Chris_B | December 11, 2005 10:09 PM | Report abuse
Posted by: Jonathan Haack | December 15, 2005 4:14 AM | Report abuse
The comments to this entry are closed.