15
Nov 10

OS X Patch Catch-Up

facebooktwittergoogle_plusredditpinterestlinkedinmail

Apple recently released a massive update to address at least 130 security vulnerabilities in Mac OS X systems, including a monster patch that fixes 55 flaws in Adobe Flash Player.

The seventh major update to OS X  this year includes a fix that stems from a vulnerability Apple patched in the iPhone earlier this year but apparently never scrubbed on OS X. According to security vendor Core Security – which said it released details about the flaw ahead of Apple’s advisory after waiting nearly three months for Apple to fix it — the vulnerability is a variation of the flaw exposed this summer that helped iPhone users jailbreak devices running iOS4. Apple fixed that bug in the iPhone shortly after the exploit was released, but until last week the flaw remained a weak spot in OS X 10.5/Leopard systems, Core said.

This patch batch also includes security fixes for QuickTime, Time Machine and Safari RSS. Updates are available for OS 10.6 and 10.5, client and server versions, through Software Update. Applying this patch may take a while: The Leopard client version of Security Update 2010-007 weighs in at more than 240 mb.

If you already applied the Flash update that Adobe made available on its site for Mac users last week — v 10.1.102.64 — your version of Flash should already be protected, as the Apple security advisory says the latest Mac OS X megapatch addresses the same vulnerabilities listed in Adobe’s advisory.

Also, a note to Mac users who have installed or purchased Microsoft Office for Mac 2011 — the latest version of Office for OS X: Microsoft last week issued a critical update for that product that patches a vulnerability the company said could be exploited by an attacker to overwrite content of your Mac’s memory with dangerous code, such as a virus or Trojan horse.

Tags: , , , , , ,

10 comments

  1. Charlie Miller on the update:

    “Apple releases huge patch, still miss all my bugs. Makes you realize how many bugs are in their code (or they’re very unlucky) #crappycode”

    https://twitter.com/0xcharlie/status/2551924867993600

  2. The Flash update broke handling of third party video source components within Flash like Google Talk “Google Camera Adapter” and ManyCam.

    I opened a bug report with Adobe here:

    http://bugs.adobe.com/jira/browse/FP-5730

    that they have accepted as reproducible.

    Basically, Flash broke it’s ability to use these third part components somehow. The components still work just fine with other non-flash applications.

    • It breaks worse than PGP. It “bricks” the system if whole disk encryption is applied. There’s a fix from PGP but it involves booting to a cd and running a bunch of terminal commands. Decrypt first, apply the patch, then reencrypt.

      • I don’t think it’s bricked is it? I thought worst-case-scenario you can pop in a fresh, clean hdd and start from scratch. Does PGP touch the EFI in some way? This is very disconcerting. Where I work, we use PGP and have a substantial Mac user base.

  3. A bit off topic, but I have to voice my displeasure with iTunes on Windows. I’ve disliked it for some time now and have kept it off my primary system due to its bloat.

    But, recently I had to install it on the “house” laptop since a family member bought an iPod, which of course requires iTunes in order to sync anything to it (why do we have to be locked into this?). This is a five year old laptop mind you, but before installing iTunes, it was a lean mean relatively fast system (Windows XP). Ever since installing iTunes (which includes QuickTime), that PC’s performance has increasingly gone downhill! It’s not as responsive anymore, things don’t “pop” like they used to when launching programs or just using the system overall.

    After the install there are now FOUR new processes ALWAYS running:

    1. iTunesHelper.exe
    2. AppleMobileDeviceService.exe
    3. iPodService.exe
    4. mDNSResponder.exe (part of Bonjour networking)

    I’ve also noticed network activity coming from this system when it’s not being used, which from my firewall logs indicate it’s to an Apple owned IP address range! It appears the software is phoning home.

    One last gripe is that Apple provides VERY little information when there is an update for iTunes. The recent update just says something about adding support for AirPlay and the laughable “important stability and performance improvements”! What does that mean??? More information please! Couldn’t find anything on the Apple website that explains in any more detail either!

    Anyway, your mileage may vary and it may not affect a newer system as much. I’m certainly not going to use my newer system (Intel Core i5) to find out! :(

    /rant

    • I have to agree with you about Itunes being an unwelcome resource consumer. It’s rude but understandable to be a hog when the user tells a program to run. Another to siphon off power when dismissed or not even asked to start.

    • If iTunesHelper.exe works just like it’s mac version, you can try to turn it off – if you don’t use any iTunes’ “system-wide” properties, such like iTunes starting when you insert music-cd or plugin iPod.

      The software does call home – if you don’t turn off “check for updates” from preferences.

      If you want to give it a shot, try killing (shutting down) those extra-.exes one by one, and test if iTunes works normally after each quit. If it does (even with iPod, and syncing), I think you could try to prevent that extra-.exe from starting in the first place.

      And about iPod requiring iTunes… Imagine his face, who buys iPod, yet doesn’t have a Mac and refuses to use Windows… Even if one can beat the breath out of her boyfriend with iPod and keep using the player normally, I wouldn’t bother the hassle.

    • Just use CCleaner or WebRoot to turn off the auto start features. Then just start iTunes when needed for syncing. And uninstall Bonjour (and the updater.) It is an ongoing security risk (and a reason why iTunes is banned on some corporate systems/networks.) Make sure you do not install undesired software when downloading CCleaner (http://www.filehippo.com/download_ccleaner/.) Check for updates using fileHippo (http://www.filehippo.com/updatechecker/), it is faster in finding updates then Apple’s updater. An added feature is that it will not try and push Safari or other Apple software. If you cannot rely on your family to install the latest patches, get Secunia PSI 2 beta and clean-up with CCleaner weekly.

  4. Apple, congratulations on actually releasing a patch. There should be more of them.

    Now, Microsoft on the other hand, how about you inform the public exactly when they can expect a Patch for Mac’s Office 2008 suite. You released a fix for MS10-087 which only fixed Mac’s Office 2011.Mac 2008 users were told the vulnerability affected them but no patch was available. It isn’t fair to ask us to upgrade to 2011 in order to be protected.