Mac OS X Update Polishes Its Image

Even though Snow Leopard is on track to hit the market, Apple has pushed out a new set of updates for its current platform, Leopard. Many of the fixes involve securing the way the operating system handles images. The update also includes some patches for Tiger, Apple’s previous version of OS X.

In what may be the last significant OS X update Apple pushes out before the arrival of Snow Leopard, the company on Wednesday released Security Update 2009-003 to fix flaws in the platform.

As with other security updates, this one, known as "OS X.10.5.8," can be downloaded and installed through Mac users’ Software Update preferences or from Apple Downloads.

OS X.10.5.8 has been released to fix flaws in Mac OS X 10.4.11 and 10.5 through 10.5.7.

This is the second major OS X security update released this year -- the last, issued in February fixed more than 50 flaws. However, is the Mac really all that vulnerable?

About OS X 10.5.8

Many of the fixes in OS X 10.5.8 deal with handling images. For example, fix CVE-2009-1728 deals with a stack buffer overflow that could terminate an application or arbitrarily execute code when the user views maliciously crafted Canon raw images.

A raw image file contains minimally processed data from the image sensors of digital cameras, or image or motion picture film scanners. Raw files have to be processed by raw converters then converted to positive file formats such as TIFF or JPEG.

The CVE-209-1728 fix is for Mac OS X 10.5 through OS X 10.5.7, and Mac OS X Server 10.5 through OS X 10.5.7.

"Most of the fixes I saw are for rendering image files and stuff like that," Charlie Miller of Independent Security Evaluators (ISE) told MacNewsWorld. Miller has made a career out of cracking Apple’s security since leaving the National Security Agency. Most recently, he demonstrated at the Black Hat security conference that hackers can break into iPhones through the SMS protocol. Soon after that, Apple issued an iPhone fix.

The root of Apple’s problem with image handling is that QuickTime is ancient, Miller explained. "The QuickTime code was written probably 15 years ago, and no one even knew about security back then," he said.

With Snow Leopard, Apple has written parts of QuickTime from the ground up, Miller added. "Hopefully, they’ll do a better job this time."

The Meaning of OS X 10.5.8’s Life

"This may be the last update to 10.5, although they may issue one or two after 10.6 comes out if there are any major security breaches," Don Boys, senior data recovery engineer at Kroll OnTrack, told MacNewsWorld. OS X 10.6 is code named "Snow Leopard" and is scheduled to hit the shelves in September.

Apple probably expects all OS X users to switch to Snow Leopard because the upgrade is so inexpensive, Boys said. Mac OS X Leopard users can switch for less than US$30.

Just Another Security Update

The reason Apple is updated OS X 10.5 so soon before the release of Snow Leopard is because it needs to lay the foundation for the upcoming OS, according to Jeff Pederson, manager of data recovery operations at Kroll OnTrack. "They’re building the foundation for 10.6," he told MacNewsWorld.

The fixes are to make the 10.5 platform more compatible with Snow Leopard, contended his colleague, Boys. "They did the same thing with System X 10.5 -- less than a month before it was released, they putout the last update for 10.4."

That’s not quite the way Carl Howe, director of anywhere consumer research at the Yankee Group, sees the update. "It’s almost entirely composed of security fixes for Mac OS 10.5.7," he told MacNewsWorld.

"Snow Leopard doesn’t factor into the equation since not all Leopard users will upgrade," he said. "Therefore, getting security fixes out to the installed base sooner rather than later reduces the ability of any security threat to propagate."

Apple tends to wait until it either has a significant number of flaws or some severe ones before issuing fixes, Howe said.

Other Security Issues

This year, Apple’s various updates have abounded with security fixes. In February, it issued Update 2009-001 to fix more than 50 flaws in Max OS X 10.4 and 10.5, Java for the Mac and Safari for Windows systems.

In June, Securemac, a Mac security products vendor, warned that multiple variants of the DNSChanger Trojan Horse, which affects the Mac platform, were surfacing and were being distributed through mainstream sites including gamer and technical downloads, in addition to porn and search engine optimized pages.

Also in June, Securemac advised iPhone users to install the just-released iPhone 3.0 operating system because it addressed about 40 security issues.

"The perception is that Macs are more secure than other platforms, but that’s not the case," ISE’s Miller said.

Whether or not Snow Leopard resolves the Mac’s security problems remains to be seen, Miller said. "The jury’s still out on what’s going to happen with Snow Leopard."

Is The Mac Really Vulnerable?

Yankee Group’s Howe is not convinced that the Mac platform is as vulnerable as reported. "Security is not easy to measure," he said. "Too many people focus on the number of threats rather than their significance and ability to propagate."

Also, there are security experts who attack Apple products because Apple has used its relative lack of malware threats as a marketing point, Howe said.

"Certainly, the platform gets a higher percentage of manufactured attacks at security conferences than its market share would suggest because of this," he explained. "Linux and Mac OS X, which have similar architectural foundations, still have a much lower actual incidence of malware today than the Windows world."