Apple Releases Security Update for Mac OS X

Apple Computer on Sept. 29 issued a security update that promises to fix several critical flaws in Mac OS X.

In issuing the 2006-006 security update, the Cupertino, Calif., company patched and updated 12 flaws in Mac OS X Version 10.4.8. Several of the security flaws were serious enough to open the possibility for arbitrary code execution attacks, according to Apple’s latest bulletin.

The latest Mac OS security patch comes just a few days after security vendor Symantec released a report on Sept. 25 that contends that the number of vulnerabilities found in Apple’s Safari browser doubled during the first six months of 2006 compared with the previous six months.

Despite the increase in vulnerabilities reported in Safari, Microsoft’s Internet Explorer still draws far more attacks, and those IE flaws maintain the longest window of exposure to attack on average, according to Symantec.

On the same day Apple released its security patch, the company became involved in a separate dispute with a vulnerability researcher at software maker SecureWorks over the details of the discovery of a Wi-Fi driver flaw in some Apple products.

Of the security patches released Sept. 29, one promises to fix a flaw in Adobe Flash Player, an application for creating animation and designs used primarily in Web applications.

“Adobe Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when handling maliciously crafted content,” according to the company’s Web site.

Click here to read more about Apple’s security patch for Wi-Fi-enabled Macs.

Another patch fixes flaws in CFNetwork clients, including Apple’s Safari. In that case, the company warned that when encryption is implemented using such applications without the use of authentication tools, users may be susceptible to attacks hosted on malicious Web sites.

“In the case of Safari, this may lead to the lock icon being displayed when the identity of a remote site cannot be trusted,” Apple said. “This update addresses the issue by disallowing anonymous SSL [Secure Sockets Layer] connections by default.”

In addition to Flash Player and the CFNetwork, the security update fixes problems with Image IO, Kernel, Login Window, Preferences, Quick Draw Manager, SASL and WebCore.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.