Apple smashes patch record with gigantic update

Fixes 134 flaws with Mac OS X update, 55 in Flash alone

Apple on Wednesday patched more than 130 vulnerabilities in Mac OS X, smashing a record the company set last March when it fixed over 90 flaws.

The update for OS X 10.6, aka Snow Leopard, and OS X 10.5, better known as Leopard, was Apple's first since September and the seventh for the year.

Calling the update "huge," Mac vulnerability expert Charlie Miller pointed out that even with a staggering 134 patches, there were plenty of flaws still around.

"Apple releases huge patch, still miss all my bugs," said Miller in a tweet late Wednesday. "Makes you realize how many bugs are in their code, or they're very unlucky."

Security Update 2010-007, offered on its own to Leopard users but combined with non-security changes in version 10.6.5 of Snow Leopard, boasted 46 per cent more patches than the biggest to date.

But Apple's patch numbers were inflated by the fixes for a whopping 55 vulnerabilities in Adobe's Flash Player. Unlike other operating system vendors, Apple bundles Flash with its OS and maintains the popular -- and frequently flaw-filled -- media player using its own update mechanism.

Flash patches accounted for 41 per cent of the total that Apple issued today.

Unlike the last time when Apple patched Flash in Mac OS X, yesterday's update included all known Flash fixes, including 18 that Adobe shipped just last week.

In June, Adobe criticized Apple for not keeping users up-to-date. "10.6.4 update for Mac OS X includes Flash Player, but not the latest version," said Brad Arkin, Adobe's director of security and privacy, at the time.

Apple has now caught up by dumping patches into yesterday's update that Adobe released in four Flash security events between early June and early November. What's unclear is how long Apple will continue to provide Flash patches to its customers.

Three weeks ago, Apple confirmed that it was ditching Flash -- the new MacBook Air laptop was the first Flash-less system -- but did not say when it would stop fixing Adobe's flaws. Meanwhile, Adobe has promised to add auto-update notification that would tell Mac users when a new version of Flash is available, but it has declined to set a release date for the tool.

Apple and Adobe have been butting heads over Flash since 2007, but the dispute grew hot this year as the two companies traded blows over Flash content on Apple's iOS-powered devices, with CEO Steve Jobs trashing Flash in April and the co-chairs of Adobe's board of directors accusing Apple of undermining the Web in mid-May.

Of the 79 non-Flash patches in Wednesday's massive collection, 16 were related to X11, Apple's implementation of the Unix X Windows System; nine affected QuickTime, Apple's own media player; four were in OS X's ImageIO component; and another four resided in Apple Type Services (ATS), the operating system's font renderer.

Among the patched ATS bugs was one that went public Monday when Core Security Technologies warned Mac users that Apple had missed two earlier self-imposed deadlines to deliver a fix. The Core warning was notable because the bug -- which was present only in Mac OS X 10.5, or Leopard -- was a variation of one used last summer to "jailbreak" iPhones running iOS 4.

Three of the nine QuickTime vulnerabilities were reported to Apple by HP's TippingPoint, which runs a bug bounty program called Zero Day Initiative.

Another QuickTime flaw was submitted by Nils, a researcher who works for a U.K.-based security consulting firm, MWR InfoSecurity. Nils, who uses only his last name when he reports vulnerabilities, is best known for his work at Pwn2Own, an annual hacking contest held in Vancouver, British Columbia, Canada.

At the 2010 event, Nils sidestepped two major defensive technologies in Windows 7, DEP and ASLR, to exploit Mozilla's Firefox and walk away with a $10,000 cash prize. The year before, Nils grabbed $15,000 by exploiting not only Firefox, but also Safari and Internet Explorer 8.

Most of the flaws patched Wednesday were described with the standard Apple phrase "may lead to arbitrary code execution," the Cupertino, Calif. company's way of labeling the flaw as critical. Apple does not assign ratings or severity scores to bugs it patches, unlike other large software makers, such as Microsoft and Oracle.

Alongside the 134 patches, Apple tackled more than two-dozen non-security issues, many of them stability or reliability problems.

Apple's practice is to divulge no details of such fixes, instead offering only terse one-line descriptions. "Addresses stability and performance of graphics applications and games," for example, could conceivably involve scores of changes at the heart of the operating system.

The 10.6.5 upgrade also fixed a problem with some HP printers connected to a wireless network, added support for encrypted transfers of files to Apple's online storage service, and improved the reliability of connections to Microsoft Exchange servers.

Considering the size of the upgrade -- between 240MB and 645MB for the client version of Mac OS X -- it's not surprising that reports of problems have trickled into Apple's support forum. Several users, for instance, said that they were unable to connect with 802.11n wireless networks after upgrading to 10.6.5.

The most serious problem, however, affected users of PGP's Whole Disk Encryption software: They reported that their Macs would not boot after the update, forcing them to restore from backups.

According to a message from PGP, users can safely apply the upgrade if they first decrypt the drive.

Mac OS X 10.6.4 and the 2010-007 can be downloaded from the Apple site or installed using the operating system's integrated update service.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMac OSsecuritysoftwareMalware and Vulnerabilitiesoperating systems

More about ADEAdobe SystemsAppleCore Security TechnologiesetworkHewlett-Packard AustraliaHPMacsMicrosoftMozillaOraclePGPTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place