Apple patches 12 bugs in Flash, SSL

Apple on Tuesday patched 12 vulnerabilities in Leopard and Snow Leopard, including seven in Adobe Flash Player and one in the protocol used to secure Internet traffic.

Security update 2010-001, the first from Apple this year, is noticeably smaller than the monster issued last November that fixed almost 60 flaws.

The seven fixes for Flash Player, Apple's first update to the popular media player since September, brought the program up to version 10.0.42.34, the same edition that Adobe shipped 8 December, 2009 , for Windows and Linux. Adobe tagged six of the seven vulnerabilities as critical in its own security advisory last month.

Because Apple bundles Flash Player with Mac OS X, it regularly distributes patches for the Adobe software, at times months after the latter has shipped patches. The six-week gap between Adobe's issuing fixes and Apple delivering them this time was similar to the time it took Apple to update Flash in the summer of 2009.

Altogether, nine of the 12 bugs were accompanied by the phrase "may lead to arbitrary code execution", Apple's way of saying that a flaw is critical and can be used by attackers to hijack a Mac. Apple does not assign ratings or severity scores to the bugs it patches, unlike other major software makers, such as Microsoft and Oracle.

Other than the patches for Flash Player, the most notable fix in the batch was for a flaw in the SSL (secure socket layer) and TLS (transport socket layer) protocols that, if exploited, could let attackers capture or change data that was supposedly protected as it moved between browsers and servers.

The man-in-the-middle vulnerability was discovered in August 2009 by Marsh Ray and Steve Dispensa, a pair of security analysts with PhoneFactor, a maker of two-factor authentication services and software. Ray and Dispensa met with representatives of several companies, including Cisco, IBM, Intel, Microsoft and Nokia, last September to work out ways to patch the underlying SSL libraries, but then had to rapidly switch gears when information was independently revealed on a mailing list Nov. 4.

Other vendors, including Microsoft and Cisco, have not yet patched the SSL vulnerability in their software; both, however, are testing fixes, according to PhoneFactor.

Security researchers last year said that the bug could have been used to hack Twitter accounts, as well as steal data from other Web sites.

The security update for Leopard and Snow Leopard can be downloaded from the Apple site or installed using Mac OS X's integrated update service. No patches are available for Mac OS X 10.4, aka Tiger, the 2005 operating system that Apple has retired from support.