Apple issued a fix for just one security vulnerability in the release of the latest version of its Mac OS X software on Thursday. OS X 10.6.6 fixes a flaw in PackageKit, a software installation and updating tool.
The newest version of OS X is mostly notable for its inclusion of the Mac App Store. The App Store is Apple’s move to extend the iTunes buying experience to the Mac platform, which until now has required users to buy software applications through normal channels, much as Windows users do. Now, though, Mac users will be able to download and install apps directly from the App Store using their iTunes accounts.
The PackageKit bug that Apple fixed in 10.6.6 could enable an attacker to execute arbitrary code on a vulnerable machine.
“A format string issue exists in PackageKit’s handling of distribution
scripts. A man-in-the-middle attacker may be able to cause an unexpected
application termination or arbitrary code execution when Software
Update checks for new updates. This issue is addressed through improved
validation of distribution scripts,” Apple said in its advisory.
The opening of the Mac App Store opens up what has become a favorite new attack vector: malicious applications and malware-laced fake apps. Apple, Google and BlackBerry all have found themselves with malicious apps in their mobile-phone app stores in recent months. There have been examples of fake online banking apps, Trojans masquerading as games and other similar indicidents. Security researchers have shown that it’s a relatively simple task to game the system and insert potentially malicious apps into these app stores, and the Mac App Store would be another attractive target for attackers, given the large Mac user base.