On Wednesday, Apple released OS X 10.6.5 and Security Update 2010-007, patching 131 vulnerabilities across both Mac OS X and Mac OS X Server.
"Many of the vulnerabilities could be exploited by malicious hackers to run unauthorized code on your Mac computer, opening you up to the potential of being spied upon, having information stolen, or cybercriminals commandeering your Mac into becoming part of a botnet," said Graham Cluley, senior technology consultant at Sophos.
When it comes to updating, "don't delay," he said.
Full details of the vulnerabilities addressed are covered in Apple's related knowledgebase article, released Thursday.
Interestingly, among the updates is a patch for the Flash Player plug-in. According to Apple, "multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution. The issues are addressed by updating the Flash Player plug-in to version 10.1.102.64."
In fact, according to AppleInsider, while 42% of the 131 vulnerabilities patched by 10.6.5 address Apple's own code, an equal number relate to Adobe Flash. That revelation adds some perspective to Apple's public denigration of Flash.
What's curious, however, is what Apple hasn't patched. Notably, OS X 10.5 remains vulnerable to a variation of the publicly disclosed FreeType JailbreakMe iPhone exploit.
According to Core Security, a penetration testing firm, "this vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing an embedded malicious CFF font."
Core Security said that it first alerted Apple to the vulnerability in August. "According to information provided to us by Apple, a patch for this fix has already been developed," said Core Security. "Apple provided us a release date for this patch in two opportunities but then failed to meet [their] deadlines without giving us any notice or explanation."
With the vulnerability still not patched, Core Security recommends that any OS X 10.5 users immediately upgrade to OS X 10.6. One problem, however, is that after OS X 10.5, Apple dropped support for Macs based on the PowerPC chipset. Accordingly, owners of older Macs will remain vulnerable to the attack until Apple releases an OS X 10.5 patch.
