AAPL Stock: 117.81 ( -0.22 )

Printed from

New 10.7.3 release includes Security Update 2012-001

updated 07:00 pm EST, Wed February 1, 2012

Closes vulnerabilities in Apache, PHP, more

Today's release of Mac OS X 10.7.3 also incorporates Apple's first Security Update of 2012, addressing vulnerabilities in components throughout the OS and its components. The update is also available as a separate download for Snow Leopard users, and while none of the issues have been reported in the wild, the update is recommended for all users of Mac OS X 10.6 and 10.7, and closes potential issues in programs ranging from Apache to QuickTime.

In all, more than 38 different vulnerabilities are addressed, including a number reported by researchers outside Apple. A potential issue in Address Book where it would fall back to an unencrypted connection for accessing CardDVA data when an encrypted connection failed, for example, was reported by an Oracle employee (an attacker in a privileged network position could abuse this flaw to intercept CardDAV data). A number of the flaws fixed in the update (particularly in QuickTime) were initially reported by those working through TippingPoint's Zero Day Initiative and Facebook along with the usual security firm and other outside sources.

In alphabetical order, security improvements were made to Address Book, Apache, CF Network, ColorSync, CoreAudio, CoreMedia, CoreText, CoreUI, curl, Data Security, dovecot, filecmds, Image IO, Internet Sharing, Libinfo, libresolve, libsecurity, OpenGL, numerous fixes to PHP and QuickTime, SquirrelMail, Subversion, Time Machine, Tomcat, WebDAV Sharing, Webmail and X11. The OpenGL bug (which dealt with memory corruption issues in the handling of GLSL compilation was credited to members of the Red Hat and Google Chrome security teams.

Some of the issues now resolved were unique to OS X Lion, including two flaws in CFNetwork, a Libinfo flaw that incorrectly handled malformed URLs, a WebDAV issue that could have allowed valid account users on one server to execute arbitrary code on others, and a cross-site scripting vulnerability in Webmail. Four issues were specific to OS X 10.6.8, including a problem with maliciously-crafted images in ColorSync, a buffer overflow error in CoreAudio, and several SquirrelMail and Tomcat flaws.

In the latter cases, the programs themselves was updated (to 1.4.22 for SquirrelMail and 6.0.33 for Tomcat). Other components that were simply updated to address numerous issues include Apache (now at 2.2.21), libpng (now at 1.5.5), libtiff (to 3.9.5), PHP (now v5.3.8), FreeType (to version 2.4.7), Subversion (now at 1.6.17) and Roundcube webmail to version 0.6.

The update is already included in 10.7.3 (Client and Server versions), but can be obtained for 10.6.8 users either via Software Update or by downloading the file directly from Apple's website. The file for Snow Leopard is 192.73MB in size. A version for Snow Leopard Server is also available at 212.09MB in size and will appear in Software Update for those users.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented