updated 11:28 pm EDT, Thu September 12, 2013
Updated Safari for 10.6, Security Update for Snow Leopard and Lion
Today's update to OS X 10.8 Mountain Lion addresses some security issues as well, which are also patched in Security Updates for users of Snow Leopard and Lion. The updates address multiple vulnerabilities in Apache, Bind, OpenSSL, PHP, PostgreSQL, and malware detector ClamAV. In addition, specific issues were fixed in CoreGraphics, ImageIO, Installer, IPSec, the OS X 10.8.x kernel, Mobile Device Management, the Certificate Trust Policy, Power Management, QuickTime, and Screen Lock.
The problems in Apache, a built-in web server for hosting sites and pages, revolve around cross-site scripting and have been fixed by simply updating it to version 2.2.24 for all three OS X releases. The BIND issues affected only Lion and Mountain Lion, and again were resolved by updating BIND to v9.8.5-P1. ClamAV for 10.6.x and 10.7.x was updated to 0.97.8, OpenSSL was updated to v0.9.8y, PHP to version 5.3.26 and PostgreSQL to v9.0.13, fixing their various vulnerabilities.
Apple also added to or removed some certificates from the list of system roots in all three OS versions, and fixed a buffer overflow bug in Mountain Lion's CoreGraphics and ImageIO discovered by a Google security researcher where a maliciously-crafted file could cause a crash or arbitrary code execution. A flaw in the Installer for Lion and Mountain Lion allowed packages to be opened even after a certificate revocation, and an issue in the Mountain Lion kernel that could cause a denial of service through an incorrect check in the IGMP packet was addressed after its discovery by Protectstar.
Also exclusive to Mountain Lion was a bug in Power Management that prevented a screen saver from starting, and a vulnerability where a user with screen-sharing access could bypass the screen lock when another user logged in was as fixed after discovery by Jeff Grisso and Sebastien Stormacq. The 10.8.5 update also addresses an issue where certain Unicode strings could cause applications to fail unexpectedly -- a flaw discovered in August by Alexander Traud.
All three supported OS releases were vulnerable to a bug in IPSec where an attacker could conceivably intercept data supposedly protected by IPSec Hybrid Auth, while QuickTime for all three was updated to stop a bug found by iDefense VCP where a maliciously-crafted movie file could cause crashes or arbitrary code execution. Finally, Lion and Mountain Lion's Mobile Device Management features had a flaw where passwords could be disclosed to other local users, discovered by Per Olofsson at the University of Gothenburg. The issue was fixed by communicating the password through a pipe.
The Mountain Lion update or Security Update 2013-004 can be obtained by using Software Update or downloaded directly from Apple's Support Downloads page. The files may have different names depending on the version of the system being used: those on 10.8.4 will see a "delta" 10.8.5 update, those on 10.8 through 10.8.3 will be steered to the larger "combo" update, and Lion and Snow Leopard (and corresponding Server users) will see just a Security Update 2013-004.