Staying Current with Mac OS X
Any operating system, regardless of who wrote it and on what platform it runs, will eventually be found to be vulnerable to some type of attack. After these vulnerabilities are found, it is important for vendors to release a patch in a timely manner. It is also important for administrators to have an intuitive and effective way to stay current with the latest patch levels.
Apple has gone through a bit of a revolution in how it handles patches. In the early days of Mac OS X, patches were slow to arrive and the patching mechanism provided within Mac OS X was not secure. However, based on user feedback, Apple is now much more responsive about releasing security patches. They have also updated their patching mechanism to provide assurances of the integrity of the patch and where it came from.
Due to the UNIX core of Mac OS X, many of the vulnerabilities that affect other UNIX variants, such as FreeBSD and Linux, will also affect Mac OS X. Mac OS X has also had its fair share of vulnerabilities specific to itself. It is important to stay current with the patches released by Apple to protect yourself from attackers attempting to utilize known vulnerabilities.
The Software Update Preferences pane controls Mac OS X's automatic update features. The Update Software tab controls the frequency of when Software Update runs. Set this to daily to be as current as reasonably possible. If you feel you need to check for updates by hand, there is a Check Now button that will run Software Update manually. When Software Update runs, it queries a server at Apple for any patches and fixes available for software installed on your computer (see Figure 3.7). If it finds anything that requires updates, it will display them to you and verify that you want the updates installed. After Software Update has run, run it manually another time. Due to dependencies on other updates, some updates may not be installed the first time. By running Software Update a second time, any packages with previous dependencies should be installed.
Figure 3.7 The Software Update panel.
After you have selected the updates you want to install, Software Update downloads the patches and installs them. Generally the core security updates will require a reboot of your machine, so be sure you have saved all your work before you start the update process. Depending on how far behind on patches you are, you may have to run Software Update several times.
There is also a command line software update program, softwareupdate, that can be run from the Terminal application. When run without any parameters passed to it, it will contact the servers at Apple and determine what patches need to be installed:
bash-2.05a$ sudo softwareupdate Software Update Tool Copyright 2002 Apple Computer, Inc. Software Update found the following new or updated software: - 3359 QuickTime (6.0.2), 19620K - restart required - 3339 StuffIt Expander Security Update (7.0), 4420K
To install a particular patch, reference it by name as a parameter. For example sudo softwareupdate 3339 will install the StuffIt Expander Security Update. softwareupdate is convenient if you are maintaining workstations remotely and need to update them without terminal access.