The seventh major update to OS X this year includes a fix that stems from a vulnerability Apple patched in the iPhone earlier this year but apparently never scrubbed on OS X. According to security vendor Core Security – which said it released details about the flaw ahead of Apple’s advisory after waiting nearly three months for Apple to fix it — the vulnerability is a variation of the flaw exposed this summer that helped iPhone users jailbreak devices running iOS4. Apple fixed that bug in the iPhone shortly after the exploit was released, but until last week the flaw remained a weak spot in OS X 10.5/Leopard systems, Core said.
This patch batch also includes security fixes for QuickTime, Time Machine and Safari RSS. Updates are available for OS 10.6 and 10.5, client and server versions, through Software Update. Applying this patch may take a while: The Leopard client version of Security Update 2010-007 weighs in at more than 240 mb.
If you already applied the Flash update that Adobe made available on its site for Mac users last week — v 10.1.102.64 — your version of Flash should already be protected, as the Apple security advisory says the latest Mac OS X megapatch addresses the same vulnerabilities listed in Adobe’s advisory.
Also, a note to Mac users who have installed or purchased Microsoft Office for Mac 2011 — the latest version of Office for OS X: Microsoft last week issued a critical update for that product that patches a vulnerability the company said could be exploited by an attacker to overwrite content of your Mac’s memory with dangerous code, such as a virus or Trojan horse.