Security Watch

Keeping Track of patches and hacks in the IT security world.

Apple Stitches Up 25 Holes in Mac OS X

Apple released 25 security patches for Mac OS X on Thursday, the most serious of which could allow a remote attacker to crash a system or execute arbitrary code.

The patches address holes found throughout the Mac operating system, from the VideoConference framework to placement of the Login window. Some of the patches address holes found in third-party products working with Macs, including three glitches found in Macs working in conjunction with Kerberos, MIT's network authentication protocol. Many of the glitches allow local users to escalate privileges.

Apple, which touts the supposed superiority of its Macintosh operating system over Microsoft's Windows, has been putting out a healthy load of security patches all year.

In March, Apple patched a heap corruption vulnerability in QuickTime. Later that month, the company issued a security update to plug dozens of holes in both the client and server versions of Mac OS X 10.4.9.

Before that, in February, Apple patched "highly critical" OS X and iChat vulnerabilities.

This all came on top of a grim start of the year for Apple: The Month of Apple Bugs launched on Jan. 1, less than 24 hours after the release of working exploits for two critical media player flaws—QuickTime and VLC. Later that month, Apple shipped an Airport security update to fix a kernel panic issue that could allow attackers to cause system crashes.

This latest shipment of 25 security updates came on the same day that a "pwn-2-own" contest launched at the CanSecWest security conference here in Vancouver. Hackers clustered in hotel rooms were feverishly trying to exploit the two unpatched Macs downstairs in the main conference hall, but Apple hopped on the phone to inform the conference organizers of the security update release. The show's organizers patched the Macs before they were hacked.

The patches can be downloaded and installed from Apple's Software Update or its Apple Downloads site.