toggle

AAPL Stock: 104.9 ( + 1.91 )

Printed from http://www.macnn.com

Apple issues security update for Snow Leopard, Lion, Server versions

updated 07:52 pm EDT, Tue June 4, 2013

Rolls in security changes present in just-released 10.8.4 update

As expected, Apple has issued Security Update 2013-002 for older versions of OS X that are limited to the security-oriented changes present in the latest Mountain Lion update, v10.8.4, which was issued earlier today. Updates for Snow Leopard (10.6), the OS X Server version of Snow Leopard, the OS X Server version of Lion (10.7) and the client version of Lion are all now available through Software Update or Apple's own Support Downloads page. Issues were found and patched for OpenSSL, QuickTime, Ruby and SMB among other areas.

Among the issues addressed was an issue with CoreMedia Playback that affected Lion and Lion Server where a maliciously-crafted movie file could have led to a crash or arbitrary code execution due to an uninitialized memory access issue in the handling of text tracks. Directory Service in Snow Leopard (Client and Server) was patched to remove an issue in the program's handling of message from the network. OpenSSL across all three supported OS releases (10.6, 10.7 and 10.8) was updated to version 0.9.8x to close a host of potential problems, and compression was disabled due to the discovery of a method by which an attacker could decrypt data protected by SSL through TLS 1.0 when it was compressed.

QuickTime was corrected to solve a buffer overflow error in the handling of "enof" atoms as well as addressing a memory corruption issue in the handling of QTIF files. The buffer overflow issue was discovered by Microsoft employees working with HP's Zero Day security initiative, while the QTIF issue was found by "roob" working with iDefense VCP. Tobias Klein of the Zero Day Initiative also found a buffer overflow error in QuickDraw Manager related to the handling of PICT images that could have lead to crashes or arbitrary code execution in Lion or Mountain Lion, while G. Geshev working with HP's Zero Day Initiative found a buffer overflow problem in QuickTime related to FPX files that has also now been corrected.

Two open-source components, Ruby and SMB, have also had fixes implemented. Ruby has been updated to version 2.3.18 for OS X 10.6 and later to close a number of vulnerabilities, including a serious issue that could have lead to arbitrary code execution across systems running Ruby on Rails applications. The SMB found on Lion and Mountain Lion was discovered to allow users to write files outside the shared directory if SMB sharing was turned on, and thus the issue was corrected. The SMB report came from researcher Ward van Wanrooij.

The update for Snow Leopard (Client) is 329.85MB in size, with the Server version being 404.83MB (updates through Software Update, which are tailored for different models, may reflect slightly different sizes). The Lion update is 57.69MB large and requires 10.7.5, the last version of Lion available, while the Server version weighs in at 105.61MB. The Snow Leopard updates require 10.6.8.




by MacNN Staff

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fr ...

toggle

Most Commented