Apple has rolled out a whopping 26 security patches for its Mac OS X operating system for vulnerabilities ranked by Secunia today as "highly critical." (See Mac OS X Security Update Fixes Multiple Vulnerabilities.)

The patches fix vulnerabilities that allow a user's files, folders, and applications to be exploited by another user. They also address buffer overflows, cross-site scripting and execution of arbitrary code in the OS, among other things. (See About Security Update 2006-004.)

Among the most dramatic flaws revealed in the patches are those in the Apple File Protocol (AFP) server: One allows an attacker to get names of a user's files and folders via the user's search results, and another lets an authenticated user crash or execute arbitrary code, accessing others' files and folders.

AFP is Apple's proprietary file protocol.

"The AFP vulnerabilities are nasty stuff," says Joe Hernick, IT director for the Loomis Chaffee School and a Mac OS X customer. "If you're running an AFP in-house, a bad guy could get a whole bunch of information to do further exploits."

Hernick says Loomis Chaffee School doesn't run AFP as its file protocol, but instead uses IP, so he's safe from those bugs. "And most folks aren't using AFP anymore unless they are running some old Apple legacy apps on newer servers," he says.

Among the other vulnerabilities covered by the Apple patches is one that allows the Safari browser to automatically let arbitrary code execute if the "open safe files after downloading" setting is enabled in the browser. That bug is based on a compression-state handling error and a user would have to open a malicious archive that crashes the app or executes bad code.

There are also bugs in Apple's DHCP implementation and a way for malicious users on the LAN to gain elevated user privileges by loading dynamic libraries. There is also a denial-of-service vulnerability in fetchmail.

Apple also patched several imaging vulnerabilities that basically crash applications and execute arbitrary code. "It's the same idea here with these images as 'Don't open a file you don't know,' " Hernick says.

Other vulnerabilities include a telnet flaw and one in OpenSSH that lets an attacker launch a denial-of-service attack or fish for an account when remote login is enabled in the server.

Hernick says he mostly runs Apple clients, so he'll push the updates to the school's desktops via Apple Remote Desktop Server to save bandwidth, and its servers will get automatic updates from Apple. "Apple used to tout that they weren't vulnerable," he says. "[But] they are based on BSD Unix, so people are going to define problems and flaws. It just goes to show you that no [OS] is perfect."

— Kelly Jackson Higgins, Senior Editor, Dark Reading