March 30, 2010, 11:53 AM — The latest Mac OS X upgrade is both enormous, 784MB and necessary. It fixes no fewer than 88 security holes.
You may think you can wait on this patch. After all, even with my 20Mbps cable Internet connection it took me an average of an hour to patch a pair of Mac Minis and a Mac Book Pro. And, some of the fixes will matter to only a handful of users. I mean how many of us really need updated Daylight Savings Time rules for Antarctica?
But, you shouldn't wait. This massive Mac OS X Leopard and Snow Leopard upgrade fixes some truly nasty security problems. And, when I say 'nasty,' I mean Windows-sized security holes that can stop your Mac dead in its tracks or let someone else take it over.
1. AppKit Spellchecker in Leopard
Shades of Microsoft Office, it turns out a maliciously created document that could be used to crash or take over a Mac via the spell checking feature used by Cocoa-based applications. This kind of security hole is old news in Windows systems with Microsoft Office, but I don't recall seeing this kind of problem in Macs before.
2. CoreAudio/CoreMedia/QuickTime in Snow Leopard
And would you believe that the same kind of problem exists in Snow Leopard's audio and video playing components? Believe it, there are several ways that a video or audio file can be set up so that when you try to play them, they'll either blow up your computing session, or, far more likely, be used in attempt to take your Mac over.
3. CoreTypes in Leopard/Snow Leopard
4. Disk Images in Leopard/Snow Leopard
Mac users assume that the images they use to install software are safe. Sure, the software that they install may not be good, but the image itself? Sure, it's fine, right? Wrong. It turns out that the image file itself can be set up to become a trap. If you open the maliciously crafted disk image, that alone will be enough to start an attempt to take your Mac over.
5. Image RAW in Leopard/Snow Leopard
Last, but not least, it turns out that RAW graphic image formats can also be used as booby-traps for the unwary user. Once more, all you need do is to open up a rigged image with iPhoto or the like and, ta-da, your Mac has been zapped.
See what I mean? Typical secure computing practices like firewalls or anti-virus software aren't that likely to catch many of these problems. This reminds me, the popular open-source ClamAV anti-virus program won't update in Leopard without this latest fix. I trust I've made my point. You really, really need to patch your Mac now.
Even after all these fixes, there are still other security holes in Mac OS X. Tiger, Mac OS X 10.4.x, users, for instance, didn't get any security fixes. It seems a safe bet that at least some of the problems that were cured for Leopard and Snow Leopard users are also present in Tiger. In addition, none of the security problems discussed by Pwn2Own winner Charlie Miller seem to have been addressed.
So, in short, while Macs, practically speaking, are safer than Windows systems, don't think for one second that they're immune to security problems. They're not. You should be as careful with using your Mac as you are with your Windows system and that includes updating it as soon as possible.