Network News

X My Profile
View More Activity

Apple Patches 40 Security Holes

Apple on Wednesday released an update to fix at least 40 different security holes in computers powered by its Mac OS X operating system and other software, including a just-in-time update to fix a dangerous vulnerability in the Adobe Flash Player that is being rather heavily exploited at the moment in Microsoft Windows versions of the player.


The Flash update brings the Mac version of the Flash Player up to the latest version, which protects users against a proliferating number of sites using vulnerabilities in older Flash versions to install malicious software on exposed computers. While the attackers are so far delivering viral payloads designed exclusively for Microsoft Windows systems, the researcher who discovered the method by which the flaw is being attacked warned that the vulnerability could be similarly exploited on any operating system for which Flash is available, including Mac OS X.

At least seven of the security issues patches in Apple's update involve flaws in image file formats that could be exploited merely by convincing a Mac user to click on a tainted link or view a specially-crafted malicious image.

Also patched in this roundup is a security hole in iCal that researchers at Core Security reported to Apple in January. The Core folks found that by tricking an unsuspecting user into opening a specially-crafted calendar file (one ending in ".ics"), an attacker could plant malicious software on a Mac user's machine.

For a dispassionate account of how Apple often deals with security researchers, check out Core's timeline of their interaction with Apple's security team, which appears to have dithered about the severity and number of flaws involved for nearly six months before releasing a single fix. Core's advisory went out more than a week ago, after Apple missed a coordinated patch/vulnerability advisory release date for the fifth time in a row.

Mac users can grab the latest update using the built-in Apple Software Update application, or via Apple Downloads.

By Brian Krebs  |  May 29, 2008; 6:35 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Symantec Pledges Less Bloat, More Speed
Next: New Trillian IM Software Fixes Three Security Holes


About time they patched the iCal flaw! Anyways, installed 10.5.3 with no problems.

Posted by: Martin | May 29, 2008 8:10 AM | Report abuse

I had a lot of trouble installing 10.5.3, took over an hour
and a call to Applecare.

Not a good sign

Posted by: pat b | May 29, 2008 11:29 AM | Report abuse

The "better" Apple-themed magazines suggest using Apple Downloads as the best way to upgrade and install the latest and greatest. I grabbed the 10.5.3 combo, downloaded it and installed with no problem. Using this method, it seems a little more transparent, as opposed to using the update application. After, I checked again to see if there were any other updates available to my OS version. Nope, mission complete! And everything seems fine.

Now, I need to find out whether its really necessary to save the dmg or the package? I thought the package was automatically saved?

Posted by: umm.huh | May 29, 2008 12:39 PM | Report abuse

In all fairness, how many actual malicious attacks are in the wild for MacOS X as compared with those for Windows XP or Vista? The headline suggests that Macs are more venerable than Windows.

Posted by: SidInKeyWest | May 29, 2008 1:04 PM | Report abuse

"The headline suggests Macs are more vulnerable than Windows"?? Where does the headline even mention Windows?

Never fails, anytime there's a mention of Apple security, all the Mac fanboys stand up and say, wait, wait, wait, but Windows is so much more insecure, there's no comparison, blah blah.

Nobody's comparing Apple to anything here so get a grip

Posted by: Anonymous | May 29, 2008 1:20 PM | Report abuse

"Macs are more venerable than Windows."

According to wikipedia, the first Mac came out in 1984
and Windows 1.0 was released in 1985
so yes, Macs are more venerable than Windows by about a year =)

Posted by: Mark | May 29, 2008 1:47 PM | Report abuse

I love OS X, I've been using Mac since dayone and I contiune to recommend everyone to use Mac instead of the junky Windows trash. But when it come to security, come on, apple people, wake up. Any OS is open for attack whether OS X, Linux or Windows. It's only a matter of time as OS X gains bigger market share.

Posted by: rich | May 30, 2008 6:57 AM | Report abuse

I guess that is great for MAC users. I didnt think MAC had any security holes.


Posted by: John thomas | May 31, 2008 12:04 PM | Report abuse

I love the sensationalization of the article's title. Perhaps I'm mistaken, but when you place a link to suggest more then 40 security holes... and then see that only 26 items are found at the link - doesn't quite ring true.

6 of the fixes are specifically for previous versions of OSX, and are not applicable for boxed version of the current system. Of what's remaining, some are fixes pertaining to the Server environment only, and not to the average Mac user at all.

If one actually reads what's listed in the supposed 40 security holes, you may find that Apple is more the one in making a mountain from a mole-hill. Far fetched circumstances show Apple's thoroughness.

Several examples are akin to: If you're programming in the old operating system, open a crafty file that wold cause the program to quit, or run a chunk of random code (probably resulting the quit).

That's like fixing a Home-Security hole for the specific event of painting a wall a specific colour of green on the second floor - If you leave the back gate open longer then it takes to bring the groceries into the house, a kid with a squirt gun might get in the yard and score a perfect shot through the window and hit the wall you're painting - causing you to roll another coat over that spot.

What the article fails to point out in it's "big bang" security title is the many layers of security OSX has for these kinds of scenarios - comparable to a SWAT team taking down the kid with the water gun before he can reach the fence.

Read the material from the link before you buy the story. Most of what you will find would result in an inconvenience to any user where malicious code made someone's app shut down.

I can see it now, some obscure hacker sends you a malicious iCal file for you to use... You use it mostly because you don't know the guy, and you want to save his event... and you ignore all the warnings the system tells you for downloaded it. Then your iCal quits, You hear a distant evil laugh... You delete the file and restart iCal.

As for those who made comments about MAC vs. PC - have a valid point. Yes, this article said nothing in comparison with PCs, but everyone knows where Brian Krebs sits.

Brian ran a huge article about Norton antivirus software and it's sluggish behaviour (someone pinch me). The article was twice the size of this one, and quoted the Symantec brass more times then I care to count. Somehow, the PR article didn't have me convinced in shifting investment portfolio to the company.

Brian points out that the biggest exploit (in no certain terms) is the flash player. An issue he's covered very thoroughly in the past with all the PC environments. I have to say that this article isn't quite worth the attention Digg is giving it, I mean, the current version of flash player for OSX is; was out more then a month ago given it's then end of May. If you follow Brian's word at all, you would have had on your system six weeks ago. But in case you hadn't bothered, Apple put it in. So for this to be "rather heavily exploited at the moment" has some serious timing issues "at the moment".

To make clear my point: Brian's security reports of the past are 95% PC headlines. So its clear that if Apple posts a security fix, Brian might be there camped out front to give us the report live as the software update engine downloads to your local OSX user.

Posted by: Drexus | May 31, 2008 1:50 PM | Report abuse

@ SidInKeyWest:
MAC's may be more venerable in your opinion, but they might also be more vulnerable, too.
@ Drexus:
"Methinks you do protest too much."

Posted by: Pete from Arlington | June 2, 2008 12:51 PM | Report abuse


The "26 items" that you counted are the product components, not the vulnerabilities. (Hint: look at the CVE IDs.)

Posted by: t_joe | June 3, 2008 9:33 AM | Report abuse

'check out Core's timeline of their interaction'

OMG. We're going to roast them for this. Thanks.

Posted by: Rick | June 7, 2008 5:14 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company