RealTime IT News

Apple Plugs Pwn2own OS X Flaw

On the same day that Apple's OS X was set to come under hacker scrutiny at the pwn2own event last week, Apple issued a major security update. That update however wasn't enough to stop security researchers from exploiting Apple's operating system.

Now a week later, Apple is out with OS X 10.6.7, fixing flaws exposed during pwn2own, as well as numerous others. Pwn2own is an annual challenge sponsored by HP TippingPoint in which security researchers are awarded cash and prizes for demonstrating vulnerabilities. All exploits are given by HP TippingPoint to the affected vendor and kept under wraps until a patch is available.

"OS X 10.6.7 is out, fixes our pwn2own bug, but bug is still in latest iOS for a while longer," security researcher Charile Miller tweeted.

Apple's iOS operating system for iPhone and iPad is derived from OS X. Miller successfully exploited iOS at pwn2own this year, a feat he also accomplished in 2009 and 2010.

In addition to the bug that Miller used to defeat the iPhone, he noted that Apple has gone even further fixing bugs.

"It slaughters at least 4 I was sitting on including my OS X entry to pwn2own I didn't get to use," Miller tweeted.

Among the fixes in OS X 10.6.7 is one for Apple's AirPort Wi-Fi. According to Apple's advisory, when connected to Wi-Fi, an attacker on the same network may be able to cause a system reset.

Apple's ATS (Apple Terminal Services) is being patched for at least four flaws which could have led to arbitrary code execution. The ImageIO system is being patched for at least five flaws for image handling issues that could potentially have enabled an attacker to terminate an application or run arbitrary code. Additionally, the CoreText system is being patched for a memory corruption issue in how the system handled font files.

The 10.6.7 release also updates Apple's use of multiple open source components, including the Apache web server, PHP, Ruby, ClamAV and Subversion.

In addition to the security fixes, the 10.6.7 update also provides stability fixes for the MacBook Air that could have triggered a kernel panic. Apple's release notes also indicate that the 10.6.7 updates improves brightness on external displays and projectors.

Looking forward Apple has its next generation OS X now in development. OS X 10.7, known as Lion is now available as a developer preview with availability expected to come this summer.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.