updated 07:52 pm EDT, Tue June 4, 2013
Rolls in security changes present in just-released 10.8.4 update
As expected, Apple has issued Security Update 2013-002 for older versions of OS X that are limited to the security-oriented changes present in the latest Mountain Lion update, v10.8.4, which was issued earlier today. Updates for Snow Leopard (10.6), the OS X Server version of Snow Leopard, the OS X Server version of Lion (10.7) and the client version of Lion are all now available through Software Update or Apple's own Support Downloads page. Issues were found and patched for OpenSSL, QuickTime, Ruby and SMB among other areas.
Among the issues addressed was an issue with CoreMedia Playback that affected Lion and Lion Server where a maliciously-crafted movie file could have led to a crash or arbitrary code execution due to an uninitialized memory access issue in the handling of text tracks. Directory Service in Snow Leopard (Client and Server) was patched to remove an issue in the program's handling of message from the network. OpenSSL across all three supported OS releases (10.6, 10.7 and 10.8) was updated to version 0.9.8x to close a host of potential problems, and compression was disabled due to the discovery of a method by which an attacker could decrypt data protected by SSL through TLS 1.0 when it was compressed.
QuickTime was corrected to solve a buffer overflow error in the handling of "enof" atoms as well as addressing a memory corruption issue in the handling of QTIF files. The buffer overflow issue was discovered by Microsoft employees working with HP's Zero Day security initiative, while the QTIF issue was found by "roob" working with iDefense VCP. Tobias Klein of the Zero Day Initiative also found a buffer overflow error in QuickDraw Manager related to the handling of PICT images that could have lead to crashes or arbitrary code execution in Lion or Mountain Lion, while G. Geshev working with HP's Zero Day Initiative found a buffer overflow problem in QuickTime related to FPX files that has also now been corrected.
Two open-source components, Ruby and SMB, have also had fixes implemented. Ruby has been updated to version 2.3.18 for OS X 10.6 and later to close a number of vulnerabilities, including a serious issue that could have lead to arbitrary code execution across systems running Ruby on Rails applications. The SMB found on Lion and Mountain Lion was discovered to allow users to write files outside the shared directory if SMB sharing was turned on, and thus the issue was corrected. The SMB report came from researcher Ward van Wanrooij.
The update for Snow Leopard (Client) is 329.85MB in size, with the Server version being 404.83MB (updates through Software Update, which are tailored for different models, may reflect slightly different sizes). The Lion update is 57.69MB large and requires 10.7.5, the last version of Lion available, while the Server version weighs in at 105.61MB. The Snow Leopard updates require 10.6.8.