updated 07:00 pm EST, Wed February 1, 2012
Closes vulnerabilities in Apache, PHP, more
Today's release of Mac OS X 10.7.3 also incorporates Apple's first Security Update of 2012, addressing vulnerabilities in components throughout the OS and its components. The update is also available as a separate download for Snow Leopard users, and while none of the issues have been reported in the wild, the update is recommended for all users of Mac OS X 10.6 and 10.7, and closes potential issues in programs ranging from Apache to QuickTime.
In all, more than 38 different vulnerabilities are addressed, including a number reported by researchers outside Apple. A potential issue in Address Book where it would fall back to an unencrypted connection for accessing CardDVA data when an encrypted connection failed, for example, was reported by an Oracle employee (an attacker in a privileged network position could abuse this flaw to intercept CardDAV data). A number of the flaws fixed in the update (particularly in QuickTime) were initially reported by those working through TippingPoint's Zero Day Initiative and Facebook along with the usual security firm and other outside sources.
In alphabetical order, security improvements were made to Address Book, Apache, CF Network, ColorSync, CoreAudio, CoreMedia, CoreText, CoreUI, curl, Data Security, dovecot, filecmds, Image IO, Internet Sharing, Libinfo, libresolve, libsecurity, OpenGL, numerous fixes to PHP and QuickTime, SquirrelMail, Subversion, Time Machine, Tomcat, WebDAV Sharing, Webmail and X11. The OpenGL bug (which dealt with memory corruption issues in the handling of GLSL compilation was credited to members of the Red Hat and Google Chrome security teams.
Some of the issues now resolved were unique to OS X Lion, including two flaws in CFNetwork, a Libinfo flaw that incorrectly handled malformed URLs, a WebDAV issue that could have allowed valid account users on one server to execute arbitrary code on others, and a cross-site scripting vulnerability in Webmail. Four issues were specific to OS X 10.6.8, including a problem with maliciously-crafted images in ColorSync, a buffer overflow error in CoreAudio, and several SquirrelMail and Tomcat flaws.
In the latter cases, the programs themselves was updated (to 1.4.22 for SquirrelMail and 6.0.33 for Tomcat). Other components that were simply updated to address numerous issues include Apache (now at 2.2.21), libpng (now at 1.5.5), libtiff (to 3.9.5), PHP (now v5.3.8), FreeType (to version 2.4.7), Subversion (now at 1.6.17) and Roundcube webmail to version 0.6.
The update is already included in 10.7.3 (Client and Server versions), but can be obtained for 10.6.8 users either via Software Update or by downloading the file directly from Apple's website. The file for Snow Leopard is 192.73MB in size. A version for Snow Leopard Server is also available at 212.09MB in size and will appear in Software Update for those users.