toggle

AAPL Stock: 102.47 ( + 2.71 )

Printed from http://www.macnn.com

Apple details security fixes in OS X 10.8.5, Safari 5.1.10

updated 11:28 pm EDT, Thu September 12, 2013

Updated Safari for 10.6, Security Update for Snow Leopard and Lion

In addition to the latest update to OS X Mountain Lion (10.8.5), Apple on Thursday also updated Snow Leopard's Safari 5.1 for a flaw that fixes a potential security hole in JavaScript. The problem, identified by Certified Secure and Vitaliy Toropov working with HP's Zero Day Initiative, could lead to unexpected quits or arbitrary code execution in Safari when visiting a maliciously-crafted website. The company also issued security updates for Snow Leopard (10.6) and Lion (10.7), with security fixes for Mountain Lion included in the 10.8.5 update.

The Safari 5 bug was caused by "multiple memory corruption issues" existing in JavaScriptCore's "JSArray::sort()" method. The fix addresses the problem with additional bounds checking. The current version of Safari for Lion and Mountain Lion, v6.0.5, does not suffer the problem. Users running Safari 5 will see the update available in Software Update, and can also obtain the download through Apple's Support Downloads page.

Today's update to OS X 10.8 Mountain Lion addresses some security issues as well, which are also patched in Security Updates for users of Snow Leopard and Lion. The updates address multiple vulnerabilities in Apache, Bind, OpenSSL, PHP, PostgreSQL, and malware detector ClamAV. In addition, specific issues were fixed in CoreGraphics, ImageIO, Installer, IPSec, the OS X 10.8.x kernel, Mobile Device Management, the Certificate Trust Policy, Power Management, QuickTime, and Screen Lock.

The problems in Apache, a built-in web server for hosting sites and pages, revolve around cross-site scripting and have been fixed by simply updating it to version 2.2.24 for all three OS X releases. The BIND issues affected only Lion and Mountain Lion, and again were resolved by updating BIND to v9.8.5-P1. ClamAV for 10.6.x and 10.7.x was updated to 0.97.8, OpenSSL was updated to v0.9.8y, PHP to version 5.3.26 and PostgreSQL to v9.0.13, fixing their various vulnerabilities.

Apple also added to or removed some certificates from the list of system roots in all three OS versions, and fixed a buffer overflow bug in Mountain Lion's CoreGraphics and ImageIO discovered by a Google security researcher where a maliciously-crafted file could cause a crash or arbitrary code execution. A flaw in the Installer for Lion and Mountain Lion allowed packages to be opened even after a certificate revocation, and an issue in the Mountain Lion kernel that could cause a denial of service through an incorrect check in the IGMP packet was addressed after its discovery by Protectstar.

Also exclusive to Mountain Lion was a bug in Power Management that prevented a screen saver from starting, and a vulnerability where a user with screen-sharing access could bypass the screen lock when another user logged in was as fixed after discovery by Jeff Grisso and Sebastien Stormacq. The 10.8.5 update also addresses an issue where certain Unicode strings could cause applications to fail unexpectedly -- a flaw discovered in August by Alexander Traud.

All three supported OS releases were vulnerable to a bug in IPSec where an attacker could conceivably intercept data supposedly protected by IPSec Hybrid Auth, while QuickTime for all three was updated to stop a bug found by iDefense VCP where a maliciously-crafted movie file could cause crashes or arbitrary code execution. Finally, Lion and Mountain Lion's Mobile Device Management features had a flaw where passwords could be disclosed to other local users, discovered by Per Olofsson at the University of Gothenburg. The issue was fixed by communicating the password through a pipe.

The Mountain Lion update or Security Update 2013-004 can be obtained by using Software Update or downloaded directly from Apple's Support Downloads page. The files may have different names depending on the version of the system being used: those on 10.8.4 will see a "delta" 10.8.5 update, those on 10.8 through 10.8.3 will be steered to the larger "combo" update, and Lion and Snow Leopard (and corresponding Server users) will see just a Security Update 2013-004.




by MacNN Staff

toggle

Comments

  1. jimoase

    Fresh-Faced Recruit

    Joined: 04-15-08

    OSX stuttering is a bridge too far for 10.8.5 to fix.

    Let the stuttering continue is the new OSX upgrade mantra.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    It's really odd:

    All your posts except for two have concerned "stuttering" in OS X 10.8.

    You never replied back to this:
    http://forums.macnn.com/112/mac-news/501681/forums-os-x-lion-nightmares-more/#post4236635

    It does not look like this is Apple's problem to fix, since hardly anybody else is having it.

    This post here would seem to suggest that it's caused by SanDisk SSD's.
    http://www.reddit.com/r/applehelp/comments/1166nt/weird_stuttering_ui_lag_in_mountain_lion/

  1. Charles Martin

    MacNN Editor

    Joined: 08-04-01

    Agreed with Spheric Harlot. Believe me, if "stuttering" or anything less than fast performance under OS X was normal, we'd have heard a lot about it from people other than just you. I'm certainly not seeing it, and I'm always very concerned about stuff like that.

    The problem is either your machine or your practices. Either seek some serious help with the problem in the forums, or stop trolling.

  1. seanpatterson

    Fresh-Faced Recruit

    Joined: 11-04-11

    Can anyone please confirm whether Safari 5.1.10 has RSS built-in? Thanks!

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fr ...

toggle

Most Commented