Apple Patch Day: Gaping Mac OS X, Safari holes

It’s Apple’s turn on the Patch Day treadmill and, for Mac OS X users, it’s quite ugly.

As I write, Apple has released four different bulletins to cover 48 documented vulnerabilities in the Mac OS X ecosystem, a solitary code execution flaw affecting Safari for Windows and four different security problems in Java for Mac OS X.

Security Update 2009-001 is quite a whopper, providing patches for holes in a wide range of components, including several open-source implementations like ClamAV and fetchmail.

[ How does Apple get away with this badware behavior? ]

This is a high-priority update for all Mac OS X users so don’t fool around when you see that Software Update alert. All the raw details can be found in this advisory.

If you’re a Windows user and Safari is installed on your machine, pay special attention to this alert, which warns of code execution exposure on Windows XP and Windows Vista.

  • Multiple input validation issues exist in Safari’s handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs.

[ Pwn2Own hacker contest targets browsers, smart phones ]

Apple also shipped a Java for Mac update with fixes for 4 more security problems:

  • Multiple vulnerabilities exist in Java Web Start and the Java Plug-in, the most serious of which may allow untrusted Java Web Start applications and untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with the privileges of the current user.
[Source: zdnet]