Four of the baker's dozen patch Apple's Safari Web browser, two affect the bundled open-source Apache Web server software, and others involve such components as OpenSSL, Open Directory, and the system administrator logging function.
Four of the 13 flaws let attackers place their own code on vulnerable systems; although Apple doesn't label vulnerabilities with a risk-assessment score as does Microsoft, any bug that allows such arbitrary code execution is considered a critical threat by virtually every security vendor and analyst. Danish-based vulnerability tracker Secunia tagged the entire update as "Highly critical," its second-highest alert ranking.
September was the last time Apple patched its operating systems; then, it fixed 10 vulnerabilities. In August, however, Apple had to fix more than 40 flaws.
Security organizations, including Symantec and the SANS Institute, have recently warned Mac users that the Apple operating system is increasingly vulnerable to attack. In September, Symantec's bi-annual Internet Security Threat Report noted that Mac OS X was in danger of becoming a target as the popularity of the platform rose.
"Many users believe that this operating system and the applications that run on it are immune to traditional security concerns. However, evidence suggests that, increasingly, they may be operating under a false sense of security," said the report.
Much more recently, the computer training organization SANS Institute specifically cited Mac OS X in its top 20 vulnerabilities list. "Any default or unpatched Mac OS X installations should be presumed to be vulnerable," the SANS report said.
It even took a potshot at the way the Cupertino, Calif.-based developer releases security updates. "Apple frequently issues Mac OS X cumulative security updates that tend to include fixes for a large number of vulnerabilities with risk ratings ranging from critical to low. This complicates the tracking of vulnerabilities for this OS."
Apple released November's fixes as Security Update 2005-009 in versions for both Panther and Tiger, with separate updates for the client and server editions of each. The patches can also be downloaded using the operating system's own Software Update command, or from Apple's Web site.