Apple patches more than a dozen holes in OS X

By Dan Goodin in San Francisco → More by this author

25 May 2007 22:42

Five uber updates in as many months

Apple has released an update that patches more than a dozen OS X vulnerabilities, several of which can lead to the remote execution of malicious code.

The most serious vulnerability resides in an OS X feature called mDNSResponder, which enables computers to locate and connect to devices such as printers and webcams on a local network. An attacker could use it to execute code by sending malicious packets to Macs connected to the same subnet, making the exploit ideal for use in internet cafes and offices.

Code exploiting the vulnerability has already been circulated by Immunity, a company that provides intelligence to security providers, according to Immunity's CTO, Dave Aitel.

"Remote roots like this don't come out every day," he said of the vulnerability.

Apple credited Michael Lynn of Juniper Networks for reporting the vulnerability. Lynn was the Cisco security researcher whose bosses threatened him with legal action in 2005 after publicly discussing vulnerability details in Cisco routers.

Yesterday's update was the fifth time in as many months that Apple has released to patch multiple security holes in its software. Apple has released other security patches this year, most recently to fix a high-profile vulnerability in QuickTime that allowed a hacker in a contest to publicly hijack a brand new MacBook Pro.

Among the other serious holes plugged in yesterday's update is flaw in OS X's CoreGraphics. That vulnerability could allow attackers to run code on a victim's machine by enticing users to open a maliciously crafted PDF file. ®

21 comments posted — Comment period finished

Track this type of story as a custom Atom/RSS feed or by email.

Apple patches Windows QuickTime bug (4 October 2007)
Apple TV gets its first critical security patch (20 June 2007)
Apple plugs two QuickTime holes (30 May 2007)
Apple patches security hole in QuickTime (2 May 2007)
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
Apple plugs 25 security holes (19 April 2007)
MySpace-hosted malware exploits QuickTime flaw (16 March 2007)
Apple megapatch fixes multiple flaws (14 March 2007)
Apple releases last pre-Leopard update for Mac OS X (14 March 2007)
Apple QuickTime update lances multiple bugs (6 March 2007)
The rise of zero-day patches (2 March 2007)
Maynor reveals missing Apple flaw (2 March 2007)
Apple patches QuickTime bug (24 January 2007)

Top 20 stories All The Week’s Headlines

Whitepapers
Four Questions to Consider Before Consolidating Direct Attached Storage on Network Storage Alternate Client Architectures Creating Cost and Energy Efficiency Through Outsourcing Hosting Solutions Virtualization and Business Continuity

Breaking Hardware News

Intel ordered to dish documents on deleted antitrust lawsuit e-mails

AMD vs Intel Internal interviews must be disclosed to AMD

Intel has been ordered to hand over secret employee interviews from an internal investigation looking into documents and e-mails that went missing during its antitrust trial with AMD.

Get the ChannelReg newsletters

Related Whitepapers

Webcast : Why Today's Spam Filters Fail
Watch on-line now
Average CPU Power (ACP)
The Truth About Power Consumption Starts Here
The new way to defeat Spam
Increasing productivity with Abaca
Alternate Client Architectures
An overview of alternative architectures to deliver applications to the desktop
Podcast : Why Today's Spam Filters Fail
Listen or download now
Live Migration with AMD-V™ Extended Migration Technology
Live migration functionality works seamlessly across a broad range of AMD64 processors

Top Stories