Apple has released a security update that patches 67 vulnerabilities in Mac OS X.
Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.
"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.
More than a third of the vulnerabilities - 26 of the 67 - were labeled with Apple's 'arbitrary code execution' description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft, Apple does not assign a threat ranking to the bugs it discloses.
Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache web server and the WebKit browser rendering engine that powers Safari.
"I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."
"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.
Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.
But the highest-profile vulnerabilities today - if only because they attracted so much media attention - were the two bugs used at ‘Pwn2Own', the annual hacking contest sponsored by 3Com's TippingPoint.
Last March, Charlie Miller, an analyst at Independent Security Evaluators, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in less than 10 seconds.
Apple last patched its operating system in mid-February 2009, when it fixed 55 vulnerabilities.
Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.
The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.
See also: Mac hacker finds iPhone security hole