Well, Apple's released yet another security update to OS X, and this one's jam packed with patches for a stack of serious vulnerabilities. I've long predicted a flood of security bugs in the operating system would eventually flow from various security research houses -- the only surprise is that it took this long.

One of the bugs Apple patched in last week's update is particularly nasty. The mDNSResponder bug is a remote root in a system daemon.

Remote daemon bugs are the holy grail of security vulnerabilities. They allow an attacker to hack in to a machine without any user intervention whatsoever. The only saving grace for Apple is most computers, even personal computers, sit behind firewalls these days.

Even so, you won't find a bug like this in Windows these days -- Microsoft took the prudent step of including a software firewall, switched on by default, in every desktop version of Windows since XP Service Pack 2.

Apple OS X ships with a firewall, but it's not turned on by default. But pwning a Mac connected to a wireless access point or LAN with this vulnerability was a piece of cake.

I'd hazard a guess, and I haven't checked this, that there have been more remote bugs in OS X in 2007 than there have been in Windows. I had a chat with Steve Manzuik of Juniper Networks last week at the AusCERT conference on the Gold Coast. It was one of Steve's guys, Michael Lynn, who found the mDNSResponder vulnerability.

They went after some OS X bugs so they could take part in the 'Hack a Mac' competition at the CanSecWest conference in Canada, but quickly realised this bug was too serious to unleash on a trivial contest.

Instead they contacted Apple and provided the security team with details of the vulnerability, which Steve says the Juniper team found in about four hours.

The worst thing is, sources of mine close to some, err, "recreational" hackers, say exploit code for this bug has been floating around for over a year.

Now, I'm not suggesting Windows, BSD, Linux or any other OS is more or less secure than OS X. The only reason I'm spending my time writing up this post is because Apple has made security a big part of its marketing strategy, and frankly, I think its a misleading campaign.

Will the deluge of bugs continue? Interest in Apple bugs has been stimulated by two factors: this year's "Month of Apple Bugs" and the Hack a Mac contest. We could just be seeing these bugs because researchers were motivated to look for them. That in itself says something. It's been proved that there are plenty of vulnerabilities in OS X -- the only thing holding them back is a lack of interest among researchers in finding them.

Don't forget -- when it comes to Windows, every month is a month of Microsoft bugs...

Also, check this week's podcast -- David Litchfield talks about his push into database forensics... interesting stuff.