Apple patches unused Pwn2Own bug, 55 others in Mac OS

Apple Monday issued patches for 56 Snow Leopard bugs, most of which can be exploited to hijack user machines.

Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011's first broad update of Mac OS X.

Among the fixes was one for a vulnerability that four-time Pwn2Own winner Charlie Miller didn't get a chance to use at the hacking contest earlier this month.

Of the 56 bugs patched in the update for Snow Leopard, 45 were accompanied by the phrase "arbitrary code execution," Apple-speak for rating the flaws as "critical." Unlike many other major software makers, like Microsoft and Oracle, Apple doesn't assign severity rankings to vulnerabilities.

According to Apple's advisory , more than a dozen of the bugs can be exploited by "drive-by" attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Mac OS X.

Several in that class resided in Apple Type Services (ATS), the operating system's font renderer, and could be exploited using malicious documents embedded with specially-crafted fonts. Of those four vulnerabilities, two were reported by researchers from Apple's rival Google.

Other drive-by attacks could be launched using malformed files exploiting six vulnerabilities in Mac OS X's ImageIO component, another five in QuickTime and two in QuickLook, the operating system's document preview tool.

One of the latter was uncovered by Charlie Miller and Dion Blazakis, researchers with the Baltimore-based consulting firm Independent Security Evaluators (ISE). Miller, who has won cash prizes at the Pwn2Own hacking challenge four years running, and Blazakis planned to use their QuickLook bug to hack Mac OS X and Apple's Safari browser at the contest.

But because Miller and Blazakis drew a late spot at Pwn2Own, they were unable to use the vulnerability: A team from the French security company Vupen, which had the first crack, broke Safari and hijacked a MacBook Air to win the $15,000 prize with a different bug.

"[Mac OS X] 10.6.7 fixes a ton of bugs. It slaughters at least 4 I was sitting on including my OS X entry to pwn2own I didn't get to use," said Miller in a Monday tweet .

Miller and Blazakis sold their unused vulnerability and exploit to HP TippingPoint's Zero Day Initiative (ZDI), the Pwn2Own sponsor.

The second day of Pwn2Own, Miller and Blazakis exploited another bug to hack an Apple iPhone , and walked off with their own check for $15,000.

The update to Mac OS X 10.6.7 also fixed several non-security bugs including issues in the AirPort Wi-Fi driver, and offered numerous enhancements, such as a reliability improvement to MobileMe's Back to Mac remote access technology.

Users of new MacBook Pro notebooks also received a fix Apple said would "improve graphics stability and external display compatibility" in the laptops, Apple's first to boast processors from Intel's new Sandy Bridge line.

Apple's support forum has been flooded with complaints that the new MacBook Pros lock up when stressed by graphics processing chores.

Mac OS X 10.6.7 and the separate 2011-001 security update for Leopard can be downloaded at the Apple site or installed using the operating system's integrated update service.

The update downloads weigh in between 241MB and 475MB for the client versions of Snow Leopard and Leopard.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)