Infrastructure // Storage
News
11/11/2010
10:39 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Apple OS X 10.6.5 Patches 131 Security Flaws

About 40% of the fixes involve Adobe Flash, lending some credence to Apple's criticism of the plug-in.

Slideshow: 10 Killer Mac Applications
Slideshow: 10 Killer Mac Applications
(click image for larger view and for full slideshow)

On Wednesday, Apple released OS X 10.6.5 and Security Update 2010-007, patching 131 vulnerabilities across both Mac OS X and Mac OS X Server.

"Many of the vulnerabilities could be exploited by malicious hackers to run unauthorized code on your Mac computer, opening you up to the potential of being spied upon, having information stolen, or cybercriminals commandeering your Mac into becoming part of a botnet," said Graham Cluley, senior technology consultant at Sophos.

When it comes to updating, "don't delay," he said.

Full details of the vulnerabilities addressed are covered in Apple's related knowledgebase article, released Thursday.

Interestingly, among the updates is a patch for the Flash Player plug-in. According to Apple, "multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution. The issues are addressed by updating the Flash Player plug-in to version 10.1.102.64."

In fact, according to AppleInsider, while 42% of the 131 vulnerabilities patched by 10.6.5 address Apple's own code, an equal number relate to Adobe Flash. That revelation adds some perspective to Apple's public denigration of Flash.

What's curious, however, is what Apple hasn't patched. Notably, OS X 10.5 remains vulnerable to a variation of the publicly disclosed FreeType JailbreakMe iPhone exploit.

According to Core Security, a penetration testing firm, "this vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing an embedded malicious CFF font."

Core Security said that it first alerted Apple to the vulnerability in August. "According to information provided to us by Apple, a patch for this fix has already been developed," said Core Security. "Apple provided us a release date for this patch in two opportunities but then failed to meet [their] deadlines without giving us any notice or explanation."

With the vulnerability still not patched, Core Security recommends that any OS X 10.5 users immediately upgrade to OS X 10.6. One problem, however, is that after OS X 10.5, Apple dropped support for Macs based on the PowerPC chipset. Accordingly, owners of older Macs will remain vulnerable to the attack until Apple releases an OS X 10.5 patch.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.