While Apple's update to iTunes played second fiddle to the impending release of the iPhone 5, the security community did not miss the massive patch published by the consumer-technology giant on the same day.
The patch fixed a very long list of vulnerabilities -- 163 issues in all -- to WebKit, an open source technology for rendering HTML used by iTunes and many other applications, including Safari, Google's Chrome, and Yahoo Messenger. Using WebKit as the basic framework for its technologies means that Apple gets many of the benefits of open source, including a well-vetted codebase and the fast reporting of vulnerabilities. In this case, for example, Google found nearly half of the 163 vulnerabilities, while Apple found 26.
Despite the huge patch, the landscape has not changed for Apple users. The major incidents that have impacted users of the Mac OS X operating system have targeted vulnerabilities in the Java platform. In its review of the flaws, vulnerability-management firm Qualys did not find any issues that seemed particularly critical.
"I don't think iTunes is very high on the priority list of the attackers, and it is quite possible that none of the fixed vulnerabilities can actually be exploited through iTunes," says Wolfgang Kandek, chief technology officer for Qualys. "Personally, I recommend customers to first address the most exploited attack vectors, such as outdated PDF readers and old Java installations."
Apple's approach to security is similar to its approach to its product announcements: The company plays its cards very close to the vest. While Apple continue to update its products, security researchers have had mixed reactions from the company when they report bugs. In addition, the Apple's release of a security update on the same day as its major product announcement smacks of an attempt to bury the news.
However, Apple's closed ecosystem has improved the security of both its mobile devices and its operating system. Beginning with Mac OS X 10.7 Lion, the company began to enforce sandboxing, which will make it harder for attackers to gain access to the operating system by exploiting vulnerable applications. The company also moved its Safari browser to WebKit2, which segments the HTML renderer from scripts that run on the Internet.
WebKit has been identified as a possible route through which attackers could run code on a variety of systems, including Mac OS X. However, recent attacks in the wild have focused on exploiting Java. This month, for example, Oracle rushed out a patch to fix a flaw in the Java runtime environment that allows an attacker to take control of a Windows, Mac, or Linux system with no actions on the part of the user, aside from visiting a website with a Java-enabled browser. Earlier this year, the Flashback trojan infected some 600,000 Mac OS X systems using a vulnerability in Java.
The latest security update moves iTunes to version 10.7. The company announced on Wednesday that in October it would update the program with user interface changes to put the content front and center.
Sign up for Computerworld eNewsletters.