Apple ships updates, including Snow Leopard (ONLY KIDDING!)‏

We’re kidding about updates to Snow Leopard, of course, not about the updates in general.

Indeed, Apple has just pushed out its latest raft of improvements and fixes for iOS, Apple TV, Safari and OS X.

But Snow Leopard is conspicuous by its absence once again: OS X 10.6 doesn’t have any operating system updates and isn’t getting a Safari fix.

The updates that have come out are:

  • iOS 7.1.2
  • Apple TV 6.1.2
  • Safari 7.0.5
  • Security Update 2014-003 for OX 10.7 and 10.8
  • OS X Mavericks 10.9.4 (includes Safari 7.0.5)

As seems to be standard practice these days, Apple has rolled the Safari update into the point release for OS X 10.9 Mavericks.

If you have Lion (10.7) or Mountain Lion (10.8) you will receive two updates, one patching numerous security holes in the operating system and its components excluding Safari, and the other to deliver you the latest Safari.

Regular and frequent?

Just over a month ago (23 May 2014, in fact), I wondered if Safari updates were becoming more regular and more frequent, and I drew a little railway map to see if there was any obvious pattern emerging:


I was forced to admit that it was too early to tell, since the five-update run at the far right was matched by an equally impressive-looking run in 2012 that went off the rails in 2013.

I don’t know whether to change my mind now I’ve added the latest Safari update to the picture:


But I do know that I’m still desperately hoping that Apple will start scheduling its large-scale updates more predicatably.

If Cupertino is able to push out updates approximately once a month, it seems reasonable to expect it could to do so precisely once a month, so that we could all plan in advance.

Although more and more Naked Security readers seem inclined to agree, there are still a few hold-outs who think not only that updates don’t need to be monthly, but also that they are better off done in an unpredictable fashion.

Does regular mean better?

There seem to be three main arguments against Apple committing to monthly security fixes on known dates:

  1. Crooks will hold back new zero-days until just after an update, if they can be sure when the next one is coming out.
  2. Crooks work backwards from updates to uncover exploits they didn’t yet know about, which is easier if the updates are predicatably scheduled.
  3. Apple’s products simply don’t need as many updates as competing vendors, so in many months there would no updates, or updates just for appearance.

To which I offer the answers, or at least the counter-questions:

  1. Why?
  2. Why?
  3. Oh, really?

I almost buy the argument about the risk of crooks holding back on deploying new zero-days until what you might call “Post-Patch Wednesday,” on the grounds that it feels as though it ought to be true.

Except that no such pattern seems to have emerged on Windows, even after more than ten years of Patch Tuesdays.

After all, having a regular update cycle doesn’t (and, indeed, ought not to) preclude a software vendor from having a process for emergency or so-called out-of-band fixes as well.

Anyway, Apple updates approximately once every month or two, so if the crooks really want to risk wasting a new zero-day by holding onto it until just after the next update, they can do so even if Apple doesn’t follow the calendar predictably.

And I can see why it might be very, very slightly easier for the crooks to to reverse-engineer the latest patches (i.e. to work backwards from a fix to an exploit) if they knew that it was better to have hired hackers standing by on every second Wednesday in the month, say, than on any other day.

The same predictability that makes it easier for system adminstrators to patch 10,000 computers in 24 hours if they can plan ahead might, indeed, aid the cybercriminals too.

So I’ll give you point two as a theoretical benefit to the Bad Guys, even though I’m not convinced it would make any measurable difference to their overall attack capabilities.

As for Apple not having enough security updates to fill a bag of patches every month, all I can say is that a month where there was genuinely nothing worth fixing would be a fantastic problem to have.

What’s fixed this month?

These latest fixes cover at least 10 remote code execution (RCE) updates in Safari – the sort of bugs that can be exploited using web pages that deliver what are often referred to as “drive-by downloads” or “open-and-own” attacks.

There’s also data leakage hole patched in Safari, and a patch for a bug that could allow crooks to take you to a dodgy site but show you a completely different website name in the address bar.

The browser on iOS gets even more love and attention, with close to 30 RCEs closed off, including two vulnerabilities going back to 2013.

There are also at least 19 vulnerabilities sorted out in OS X, including remote code execution and an elevation of privilege (EoP) exploit that could allow a regular program to acquire system-level powers.

As we have pointed out several times before, combining an RCE with an EoP can make an otherwise quite limited attack into something much more serious.

The most intriguing patch, however, is for a bug known as CVE-2014-1361, whereby the OS X Mavericks lock screen may occasionally fail to intercept the keyboard properly.

Attackers could therefore type text into application windows running behind the lock screen, although they would have to guess which windows were in what order, and what sort of input the software was waiting for.

This sounds more amusing than dangerous, until you stop to think that your usual action, on seeing the lock screen, is to type in your password followed by [Enter].

And that might not be quite what you want to do if the program under the lock screen is an instant messaging or social media app!

So, there are plenty of patches, and – you will surely be prepared to admit – more than enough to make it unlikely that a whole month could ever go by with no patches worth publishing, especially when iOS is still catching up with vulnerabilities discovered last year.

At the time of writing [2014-06-30T22:00Z], Apple still doesn’t have the standalone versions of these patches ready for download, but they’re there for the taking via Settings > General > Software Update on your iDevice, or Apple Menu > Software Update... on OS X.

Sophos Anti-Virus for Mac Home Edition - free download