Time for a 'Patch Tuesday' just for Apple?

In an advisory published by Apple this afternoon, Mac users and admins are being advised of the availability of the seventh major security package this year, which will include some 20 patches for both the System and Mac applications.

The last major Apple security update came on September 15, and the one before was issued on the last day of July. So security updates are getting to be a monthly affair with Apple, just as they've been with Microsoft for quite some time.

But in Apple's case, it's worth noting that security update packages also include patches for third-party Mac and Unix software, provided as a courtesy to their manufacturers or developers. This month, Apple is including what it characterizes as multiple vulnerabilities in the ClamAV open source anti-virus system for Unix (don't forget that Mac OS X is a Unix system now). ClamAV has been susceptible to multiple buffer overflow-triggered situations of arbitrary code execution since 2005, and this appears to be the latest incident.

One serious situation with the Mac System software itself which the 2008-007 security patch does address, involves what Apple describes as an independent discovery regarding maliciously crafted files and the Finder program. On a Mac, a file can be responsible for generating its own icon in Finder; the content of that icon is part of the file's "resource fork." Malicious code in the icon portion can cause Finder to shut down; and when it tries to restart, naturally, it tries rendering the same icon again. Which causes it to shut down again, which ends up making Finder look like something you saw in a Mac commercial once...on the left side of the TV screen.

While all this stopping and restarting is going on, Finder can lose track of the active user's own account. So this latest patch spawns a separate process for generating icons, which then links back to Finder.

Package 2008-007 also contains fixes for vulnerabilities in MySQL Server, Apache, PHP, and Tomcat.