Among them was one that "addresses an issue in which some printer compatibility drivers might not appear properly in the Add Printer browser," said Apple.
It took Apple until mid-May, for example, to include Flash Player 10.0.22.87, the version Adobe released in late February, with a Leopard security upgrade.Īlso included in the Mac OS 10.6.1 update were at least eight fixes for non-security bugs, Apple said in a separate support document. "Apple either needs to close this loophole, or distance itself from bundling third-party and open-source components."Īpple has taken heat, from Storms as well as other security experts, for its sometimes-sluggish pace of rolling third-party updates into its operating system. Storms focused on the six patches for PHP, which updated Leopard's version of the scripting language to 5.2.10. Two of the vulnerabilities could be triggered by duping users into visiting rigged Web sites, said Apple, while a number of others, including flaws in ColorSync, CoreGraphics and ImageIO, could be exploited by attackers who serve up malformed image, PDF, or PixarFilm-encoded TIFF formatted files.
Of the 33 bugs in Mac OS X 10.5, Leopard, 23 were tagged with Apple's "arbitrary code execution" phrase 14 of the 16 flaws in Tiger were pegged the same way.Īmong the components patched in 2009-005 were ClamAV, the open source anti-virus scanner bundled with Apple's server software CoreGraphics the Apple-developed but open source CUPS printing system Launch Services MySQL the PHP scripting language and SMB (Server Message Block), the file- and print-sharing protocol Macs use to access Windows-based networks. The Security Update 2009-005 for Leopard and Tiger was more traditional, patching 33 vulnerabilities in the former and 16 in the latter. "Apple had to go through one whole engineering cycle to fix Flash."Īs if to echo Storms' point, Apple noted that the 10.6.1 update - which admittedly includes fixes for eight non-security issues - tipped the scale at 75MB. "Having to release a whole OS update just to patch one third-party component, that's a bit heavy-handed," said Storms.
28, a slightly faster pace than in 2007, when Apple took about three weeks to issue the first security update for Mac OS X 10.5, aka Leopard.Īdobe updated Flash Player to 10.0.32.18 in late July to plug a dozen vulnerabilities, including three inherited from flawed Microsoft development code - obviously, those were not present in the Mac version - and one that hackers had been exploiting for at least a week, which did apply to the Mac. According to the corresponding Adobe security advisory, six of the nine flaws could be considered critical.Īpple released the first update for Snow Leopard less than two weeks after it debuted the operating system on Aug. Mac OS X 10.6.1 packaged nine patches for Flash vulnerabilities, some of which could result in "arbitrary code execution," Apple-speak of a critical flaw that attackers could exploit to grab control of a Mac. Users and security researchers had taken Apple to task for not only shipping Snow Leopard with an outdated and vulnerable version of Flash Player, but also for silently "downgrading" once-secure editions when Macs were updated to the new operating system. The Snow Leopard 10.6.1 update's security content consisted solely of an upgrade for Adobe's Flash Player, which was bumped to the up-to-date version 10.0.32.18.
Unlike rival OS maker Microsoft, which releases most of its security upgrades on a pre-set monthly schedule, Apple ships its patches whenever they're ready to go out the door. "Actually, it's almost what we've come to expect from Apple," he added. "It's another sneak attack," said Andrew Storms, director of security operations at nCircle Network Security, referring to the string of updates.