“Apple believes that using Open Source methodology makes Mac OS X a more robust, secure operating system, as its core components have been subjected to the crucible of peer review for decades. Any problems found with this software can be immediately identified and fixed by Apple and the Open Source community.”
This is true, OS X is a very robust system but OS X updates are not pushed out to the public every time one of it’s open source components are updated, this can leave Mac users with outdated and potentially vulnerable software and services. One of the biggest examples of Apple including 3rd party software in it’s OS was Java. Instead of letting Oracle provide the updates to it’s customers we had to wait for Apple to push out updates, usually several months after Oracle released an update. This was known to cause some issues 😉 While Apple stopped including Java in it’s OS and finally left the updates for Oracle to sort out, there are plenty of open source and 3rd party projects included in the system. Let’s take a look at a few examples.
At the time of writing OS X includes Apache version 2.2.22, built December 2, 2012. The latest available version is 2.2.24. OS X 10.8.4 was released on
June 4, 2013 so could have easily included the latest version or one newer than .22. Whatever the reason is for not including this latest version in the last OS X update, the fact is that Mac users are now running a system that missed out on these and these updates and security patches. I do not know if this only impacts users that use the built-in webserver or if Apache is part of other OS X services but it is something to look in to.
Included in OS X 10.8.4 is version 1.8.7, released over a year ago. The latest available version is 2.0.0. While i could not find any changelogs to see exactly what kind of updates and patches have happened wince then because the ruby website is a mess (typical made by coders for coders), a year is a long time and i was able to find several vulnerability reports online that apply to versions 1.8 and 1.9.
WebKit ties in to a few of OS X’s applications. Safari, Mail, iTunes, iChat*, iWeb*, Help Viewer, Aperture, Dashboard, Dictionary and Xcode. It’s also used in Google’s Chrome. Included in OS X 10.8.4 is version 536.30.1 but new builds addressing issues being released daily. As webkit is often smacked around in hacker tournaments and has a decent history of vulnerabilities it is important, for me at least, to stay as up to date on this as possible.
I’m sure there are many more examples, as you can see the list of open source used by Apple is huge. While i am currently not aware of any vulnerabilities that pose an immediate threat to Mac users because of these outdated services, next time you read about another vulnerability affecting one of them, you have a choice. You can wait a few months for Apple to release an update (and hope it incorporates the latest updates and patches) or you can update these services yourself. I stay up to date on WebKit and XQuartz but never perform any updates to Apache or Ruby. This is mostly because i do not know how those services affect me (i don’t use Apache and have no idea how/if i use Ruby) and i have not had time to look into it. If you want to dig deeper and see which open source piece of the puzzle affects you and the way you use your Mac, here is the list. Once you identify something of importance to you find out if you can update it yourself and decide if it’s worth the effort or, wait for the next time Software Update notifies you.