toggle

AAPL Stock: 111.78 ( -0.87 )

Printed from http://www.macnn.com

New 10.7.3 release includes Security Update 2012-001

updated 07:00 pm EST, Wed February 1, 2012

Closes vulnerabilities in Apache, PHP, more

Today's release of Mac OS X 10.7.3 also incorporates Apple's first Security Update of 2012, addressing vulnerabilities in components throughout the OS and its components. The update is also available as a separate download for Snow Leopard users, and while none of the issues have been reported in the wild, the update is recommended for all users of Mac OS X 10.6 and 10.7, and closes potential issues in programs ranging from Apache to QuickTime.

In all, more than 38 different vulnerabilities are addressed, including a number reported by researchers outside Apple. A potential issue in Address Book where it would fall back to an unencrypted connection for accessing CardDVA data when an encrypted connection failed, for example, was reported by an Oracle employee (an attacker in a privileged network position could abuse this flaw to intercept CardDAV data). A number of the flaws fixed in the update (particularly in QuickTime) were initially reported by those working through TippingPoint's Zero Day Initiative and Facebook along with the usual security firm and other outside sources.

In alphabetical order, security improvements were made to Address Book, Apache, CF Network, ColorSync, CoreAudio, CoreMedia, CoreText, CoreUI, curl, Data Security, dovecot, filecmds, Image IO, Internet Sharing, Libinfo, libresolve, libsecurity, OpenGL, numerous fixes to PHP and QuickTime, SquirrelMail, Subversion, Time Machine, Tomcat, WebDAV Sharing, Webmail and X11. The OpenGL bug (which dealt with memory corruption issues in the handling of GLSL compilation was credited to members of the Red Hat and Google Chrome security teams.

Some of the issues now resolved were unique to OS X Lion, including two flaws in CFNetwork, a Libinfo flaw that incorrectly handled malformed URLs, a WebDAV issue that could have allowed valid account users on one server to execute arbitrary code on others, and a cross-site scripting vulnerability in Webmail. Four issues were specific to OS X 10.6.8, including a problem with maliciously-crafted images in ColorSync, a buffer overflow error in CoreAudio, and several SquirrelMail and Tomcat flaws.

In the latter cases, the programs themselves was updated (to 1.4.22 for SquirrelMail and 6.0.33 for Tomcat). Other components that were simply updated to address numerous issues include Apache (now at 2.2.21), libpng (now at 1.5.5), libtiff (to 3.9.5), PHP (now v5.3.8), FreeType (to version 2.4.7), Subversion (now at 1.6.17) and Roundcube webmail to version 0.6.

The update is already included in 10.7.3 (Client and Server versions), but can be obtained for 10.6.8 users either via Software Update or by downloading the file directly from Apple's website. The file for Snow Leopard is 192.73MB in size. A version for Snow Leopard Server is also available at 212.09MB in size and will appear in Software Update for those users.




by MacNN Staff

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented