Headline Feeds
Apple (Nasdaq: AAPL) released a big security patch for its Mac OS X operating system Tuesday. The mega-update patches some 45 weak spots, including several zero-day vulnerabilities. About one-third of the fixes address security issues revealed on the "Month of Kernel Bugs" (MOKB) and "Month of Apple Bugs" (MOAB) blogs.
This latest update marks the seventh time Apple has released a security patch since the start of 2007. It affects Apple computers running Mac OS X version 10.3.9 and Mac OS X Server version 10.3.9. Mac OS X version 10.4.9 contains the security fixes released in Tuesday's patch and, according to the Cupertino, Calif., computer maker, will install on Mac OS X v10.4 or later as well as Mac OS X Server v10.4 or later systems.
"This is an extremely critical update," Rich Mogull, a Gartner (NYSE: IT) analyst, told MacNewsWorld.
Bug Infestation
The update includes fixes for problems within Apple's software as well as third-party applications such as Adobe Systems' (Nasdaq: ADBE) Flash Player, OpenSSH and MySQL. Also, while many of the flaws pose no serious security risk, several could allow attackers to remotely execute code through which they could gain control over a Mac.
Anything that allows someone to remotely install something on another person's machine is a big vulnerability, Dave Cole, director of Symantec (Nasdaq: SYMC) Security Response, told MacNewsWorld.
Cole agreed with Apple that Mac users should definitely download this security patch and apply it. "There are some serious vulnerabilities [corrected] in it and we want people to be protected. Without a doubt this is an important one and if you're thinking of skipping an update, this isn't the one to skip," he stated.
There is good news and bad news with an update containing so many patches, according to Cole. "The bad news is that it is around an 8 MB patch," he said. "The good news is that when you apply it you get them all in one."
Flaw Catcher
This is the first large-scale security update for Apple since August 2006, when it released a patch containing fixes for 26 vulnerabilities. Tuesday's update corrected several flaws brought to light during November 2006 and January of this year by "Month of" bloggers H.D. Moore, director of security research for BreakingPoint Systems, and a researcher known only as LMH. Nine of the fixes pertain to bugs released during MOAB; an additional seven deal 
with flaws brought to light during MOKB.
The bloggers' stated goal was to reveal major security flaws that put both Mac and Windows users at risk. Gartner's Mogull sees the update as a small vindication for the bloggers, as it proves Apple has security issues about which Mac users should be aware. It does not, however, validate the tactics the bloggers used, he asserted.
"It does not validate the approach of releasing the actual exploit as part of reporting the vulnerability," he stated. "You could say that they did force Apple to respond, but Apple is also patching a number of things not addressed in the 'Month of Apple Bugs' project as well."
Great Security Hype?
Including Tuesday's releases, Apple has released seven security updates this year. Compare that to the 16 security bulletins released by Microsoft (Nasdaq: MSFT) to correct some 30 vulnerabilities in the same time period, and it appears that Apple's marketing campaign touting the superior security of a Mac may not be an exercise in hyperbole.
However, on the same day Apple released its 45 fixes, Microsoft sat out its regular monthly update of what has come to known as "Patch Tuesday."
The patch is a big one for sure, but it isn't the first time Apple has released a patch this size, Symantec's Cole explained.
"This comes at a time when they've thrown off the gloves and taken on Vista in their consumer marketing," he said. "The question is, are the people watching those commercials aware of the [security updates] and what Microsoft will do with this information? I'm sure Microsoft was not wholly unhappy that on a day they didn't release patches, Apple did."
Mogull credits Apple for issuing such a comprehensive update; however, he said the computer maker needs to put a greater emphasis on security.
"Apple does not have a chief security officer. They are hiring for a new security position, but security is not as ingrained in the Apple culture and the development process as it is in other places," he noted.
Apple gets a mixed grade, Mogull continued. He gives them a good grade for plugging so many holes, several of which were critical. However, the events of the past year indicate that Apple needs to take security more seriously.
"That is something we hope to see them do in the future," he added. "But, if they want to use security in their marketing campaign, they will really need to make a very big effort."
Talkback: 
