Apple re-releases critical security patch

Apple has re-released a mammoth security patch after the original update broke 64-bit applications.

Version 1.1 of Security Update 2005-007 is now available from Apple's website or via the Mac OS X "Tiger" automatic update system.

The original Security Update 2005-007, released on Monday, fixed errors in more than 40 components, some of them with critical flaws. Among those elements affected were AppKit, BlueTooth, CoreFoundation, cups, Directory Services, HIToolBox, Kerberos, loginwindow, Mail, OpenSSL, QuartzComposerScreenSaver, Security Interface, Safari, X11 and zlib.

But the update also rendered 64-bit optimised applications unusable, causing thousands of companies to field calls from angry customers, and Apple was forced to withdraw the patch.

Software maker Wolfram Research contacted its customers via email to explain why their Mathematica 5.2 stopped working after users installed the Apple update. "Due to an error on the part of Apple, this update prevents any 64-bit-native application from running," said Wolfram in the note to customers. "In particular, this means that Mathematica 5.2 will not run on any G5 system if it has installed this Security Update."

The original update included only the 32-bit version of an important system component called LibSystem, omitting the 64-bit version, according to Apple.

The bug meant that other applications tweaked for 64-bit chips, such as the 64-bit GMP library or the GCC 4.0.0 compiler, also didn't work, according to experts. Tiger, technically known as Mac OS X 10.4, is the first version of OS X to support 64-bit applications. 64-bit addressing allows the use of more memory space and is critical to some database and scientific software.

Industry analysts have said that Apple's system updates are increasingly stable, with such glitches more of an exception than a rule. Still, problematic patches can put system administrators between a rock and a hard place.

Hackers have become quicker at exploiting security holes in the window between the release of a patch and the widespread application of the patch. A Plug n Play bug patched last week by Microsoft, for instance, turned into a major worm attack within a week.

Yet flawed patches continue to turn up regularly. In March, Microsoft acknowledged that a January patch for Windows 98 and Windows ME -- the KB891711 update included with security bulletin MS05-002 -- caused performance problems. Microsoft's MS05-001 bulletin, also in January, failed to completely fix all the security problems addressed, according to security researchers.

In April, Apple had to patch an earlier update that had broken some websites and caused the Safari browser to crash. In May of last year, Apple came under fire for a patch didn't completely fix a remotely exploitable security flaw.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark