Five other vulnerabilities were also Snow Leopard-only: A pair of bugs in the CoreMedia component's parsing of H.264 movie files, one in ImageIO's handling of TIFF files, and vulnerabilities in the kernel and launch services were patched in today's update.
Storms said that one of today's patches, which Apple labeled as affecting the Libsecurity component, had been patched a month ago by Microsoft in that company's regular October security update. Apple credited Dan Kaminsky, of IOActive, and the Microsoft vulnerability research team for reporting the flaw, which was in the parsing of X.509 certificates. It could be used to spoof the digital certificate of a Web site, perhaps in league with identity theft attacks.
"While it is not yet considered computationally feasible to mount an attack using these weaknesses, this update disables support for an X.509 certificate with an MD2 hash for any use other than as trusted root certificate," Apple said in the accompanying advisory.
Last month, Microsoft said that proof-of-concept code had been published "which would allow an attacker to exploit this vulnerability in limited scenarios," but said it had not seen active attacks.
Several open-source components of Mac OS X were also patched in Apple's update today, including the Apache Web server, Fetchmail, IPSec, LibXML, OpenLDAP, OpenSSH, PHP, RADIUS and Subversion. "I looked up the release dates of those to get an idea of Apple's response time," Storms said. "Apache was patched in June; Fetchmail, LibXML and Subversion in August; and PHP and RADIUS in September."
Storms and other security experts have been critical of Apple's sometimes-lethargic patching pace for open-source pieces it includes in Mac OS X. "To harp on the fact again, if Apple is going to distribute open-source code and applications, they need to close that loophole faster," said Storms. "Some of those, like PHP and LibXML were pretty important to get patched, and they were fairly fast, for them, this time. But OpenSSH's bug was patched more than a year ago."
The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Snow Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.6.2 upgrade also released Monday.