Apple yesterday released Mac OS 10.4.9, which includes security update 2007-003 (available standalone for Mac OS 10.3.9). The laundry list of security updates is quite long, but almost all the fixes are to theoretical bugs, many uncovered as part of the Month of Apple Bugs project.

The list shows that Apple continues to take security issues very seriously, and that they’re doing their homework. The length of the list is, however, unfortunate on many accounts: it gives the appearance that there’s an overall security problem when really there isn’t, it presents a real risk of introducing new bugs and security issues (which will, rightly, cause many people to hold off on installing it), and it causes the few important fixes to be obscured by the myriad less significant ones (there are so many items in the list, most people won’t read the list at all).

To try to help with these problems, here’s a brief annotated summary of the fixes, in an order other than Apple’s alphabetical one. Specifically, items in the first group appear the most worrisome, followed by those in the second, and lastly by those in the third. Even in the first group, however, the worry level is pretty low:

Group 1: Built-in OS services that could be attacked from outside (very unlikely, but there’s not much you can do about these other than apply the fixes)

1. • CUPS (Printer Sharing): Remote attackers may cause a denial of service during SSL negotiation (SSL negotiation is almost never used in Printer Sharing)
   

2. • HID Family: Console keyboard events (potentially including the typing of passwords) are exposed to other users on the local system (which there usually aren’t any)
   

3. • Networking: Maliciously-crafted AppleTalk requests may lead to a local denial of service or arbitrary code execution, or local users may be able to cause an unexpected termination of system operations or other problems by using AppleTalk
   

4. • OpenSSH: Multiple vulnerabilities in OpenSSH (used for Remote Login), the most serious of which is arbitrary code execution (two instances)
   

5. • SMB File Server:  A user with write access to an SMB share (Windows sharing) may be able to cause a denial of service or arbitrary code execution
   

Group 2: Viewing/opening untrusted files (always risky)

1. • ColorSync: Viewing a maliciously-crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution
   

2. • CoreGraphics: Viewing a malformed PDF Document may lead to an application hang
   

3. • Flash Player (used in Safari and other Web browsers): Playing maliciously-crafted Flash content could allow an HTTP request splitting attack (say what?! basically a faked response from a Web server)
   

4. • Disk Images: Mounting or downloading a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution (four instances)
   

5. • ImageIO: Viewing a maliciously-crafted GIF file or RAW image may lead to an unexpected application termination or arbitrary code execution
   

6. •iPhoto 6.0.6 (a separate update): Subscribing to a maliciously-crafted photocast may lead to arbitrary code execution
   

7. • Kernel: Executing a maliciously-crafted program may lead to an unexpected termination of system operations or arbitrary code execution with elevated privileges
   

8. • QuickDraw Manager: Opening a maliciously-crafted PICT image may lead to an unexpected application termination or arbitrary code execution (two instances)
   

9. • Software Update: Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution
   

Group 3: Things you’re really unlikely to encounter, or that probably won’t really cause any problems

1. • Crash Reporter: Crash Reporter may allow a local admin user to obtain system privileges
   

2. • DS Plug-Ins (Directory services): Unprivileged LDAP (directory server) users may be able to change the local root password
   

3. • Kernel: Malicious local users may be able to cause a denial of service
   

4. • GNU Tar: Multiple vulnerabilities in GNU Tar, the most serious of which is arbitrary code execution
   

5. • MySQL Server (an add-on service): Multiple vulnerabilities in MySQL, the most serious of which is arbitrary code execution
   

6. • Printing: An unprivileged local user can overwrite arbitrary files with system privileges during printer initialization
   

7. • sudo: A local user with sudo access to a bash script can run arbitrary commands with elevated privileges
   

8. • servermgrd (OS X Server only): Remote attackers may be able to access Server Manager without valid credentials
   

9. • WebLog (OS X Server only): A remote attacker can conduct cross-site scripting attacks through Blojsom
   

As to whether to install the update right away or not, here’s what the book says about it:

1. Sometimes updates, even security updates, actually make things worse. If you’re tied into an online or offline discussion group (a Mac users’ group for instance), it might be best to ask about people’s opinions and experiences there (although beware that, with large online groups, there will always be someone who has some problem with just about anything).  Otherwise, as a rule of thumb, it’s probably best to install any security update as soon as  possible, and to consider operating system upgrades, which often contain security fixes as well. Apple’s security site at http://www.apple.com/support/security/ provides information to help you in this decision process, as does [this blog].