Patch Tuesday is a Microsoft institution, but competing software companies are stealing some of the attention this week with security issues of their own. On Tuesday, Apple released Mac OS X 10.5.7, an update for its operating system that aims to improve application performance and stability — and fix 68 security issues.
“Who would have thought that OS X was so insecure? Nearly every component of Apple’s OS and its applications are touched by security-related fixes in the latest massive update from Apple,” said Andrew Storms, director of security operations for nCircle. “This is a real wake-up call for everyone that has been touting the Mac OS as more secure than Windows.”
Holes in Apple Products
As is the recent trend with Apple, Storms said a fair number of the updates are for the open-source applications bundled with its operating system rather than issues with the core of Apple’s software products.
“As we have seen in the past with both OS X and the iPhone, attackers utilize public disclosure of open-source application vulnerabilities to find holes in Apple products,” Storms said. “Now that Apple has let the security cat out of the bag, users are encouraged to update as soon as possible because exploits will be written very quickly.”
The update is available through Apple’s Software Update control panel or from the downloads Web page. The update adds RAW image support for several new digital-camera models; improves the reliability and accuracy of the Unit Converter, Stocks, Weather and Movies widgets; improves video playback and cursor movement for Macs with Nvidia graphics; fixes Yahoo contact-sync issues; Gmail log-in issues; and improves the search results for Finder. The update also resolves issues with Apple’s iCal and Mail applications, parental controls, and a few printing issues.
Adobe Finally Responds
Perhaps more pressing than the Apple updates — or even the Microsoft security bulletins for Patch Tuesday — is the much-awaited Adobe PDF vulnerability patch. Adobe issued a fix Tuesday for Reader and Acrobat versions 7, 8 and 9 for Windows, and versions 8 and 9 for Mac and Unix. The vulnerability relates to a JavaScript memory-corruption error and is rated “highly critical.”
“For the second time this year users have been left holding the bag for security issues in Adobe products,” Storms said. “In February and again in April this year enterprises were trying to mitigate threats from zero-day exploits in the popular Adobe PDF products. The PDF document, once viewed as a safer alternative to Microsoft Word format, has dropped a few rungs in security credibility.”
In both the February and April zero-day issues with Adobe, Storms noted, users were instructed to disable JavaScript to help mitigate the threats. While this advice seems plausible for the small office, he continued, for the enterprise this task is daunting and comes at the price of reduced functionality.
“Compared to Adobe’s product-vulnerability response in February, this latest round of bug disclosure was faster and Adobe was much more communicative,” Storms said. “Let’s hope Adobe continues to come closer to the Microsoft model on bug and patch disclosure.”