Apple issues many security updates for OS X, including Lion and Mountain Lion

Apple issues many security updates for OS X, including Lion and Mountain Lion

Summary: A total of 37 vulnerabilities for OS X users and ten for QuickTime for Windows are patched. Apple finally begins patching Mountain Lion again.

TOPICS: Security, Apple

In addition to fixing a high-priority bug in SSL/TLS and shipping numerous feature tweaks and fixes, Apple released a large number of security fixes today to OS X, Safari and QuickTime for Windows.

There were 33 vulnerabilities patched in OS Xfour in Safari and 10 in QuickTime for Windows.

Surprisingly, in addition to patching the current version OS X 10.9 (Mavericks), updates were also released for OS X 10.7.x (Lion) and OS X 10.8.x (Mountain Lion). In the time since they released Mavericks in October Apple has disclosed and but not patched dozens of vulnerabilities in Mountain Lion. This policy appears to have changed, but most of the vulnerabilities previously unpatched remain unpatched, according to Apple's disclosures.

Many of the OS X vulnerabilities are quite severe. The most interesting one is a vulnerability in Secure Transport in Mountain Lion, Apple's SSL/TLS implementation. (This is the same software component involved with the recent SSL/TLS vulnerability, but not the same problem.) The vulnerability is designated CVE-2011-3389 and was first disclosed on September 6, 2011. It was a vulnerability of some note at the time because it severely compromised a very common set of SSL facilities (CBC in TLS 1.0). Click here for an excellent contemporaneous description.

Apple has a good deal of experience with this vulnerability having now patched it on 8 separate occasions in different programs:

The remaining vulnerabilities include many with which an attacker could execute privileged code, intercept confidential data or modify files. One vulnerability could allow an unprivileged user to change the system clock.

I could only identify three vulnerabilities patched today which were among the more than 50 patched at the release of Mavericks, all of which were present in Mountain Lion:

  • IOSerialFamily: Executing a malicious application may result in arbitrary code execution within the kernel
  • App Sandbox: The App Sandbox may be bypassed
  • LaunchServices: A file could show the wrong extension

I have asked Apple why only these three were chosen and will add their response when I get it.

Four vulnerabilities were patched in Safari for Lion, Mountain Lion and Mavericks. All four are in the Webkit browser engine, and are memory corruption vulnerabilities with which an attacker could execute arbitrary code by getting the user to visit a malicious web site.

All ten vulnerabilities in QuickTime for Windows could allow remote code execution if the user plays a malicious movie file.

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Snow Leopard

    Does this mean Safari is or isn't safe to use to 10.6.8 (Snow Leopard)?
    • That's

      for you to find out. Snow Leopard is EOL, so Apple don't care if it is affected or not.
      • Re: Snow Leopard is EOL....

        "Apple don't care if it is affected or not"

        If that is the case then its utterly irresponsible of Apple as Snow Leopard still has a substantial user base on machines manufactured prior to 2008.
        • XP

          Just like it's utterly irresponsible for M$ to abandon XP? How many Linux kernels should be supported? What about old versions of Android? Gingerbread, anyone?
          • The difference with XP

            Is that it's now almost 13 years old, and now support is just ending. For Apple, OS 10.6 can still be bought from from the Apple Store, was released 4 years ago, and was abandoned after 2 years.
          • Time is relative

            GNU/Linux, for example:
            o Ubuntu non-LTS releases have 9 months of support
            o Fedora releases have 1 year of support
            o OpenSUSE releases have 18 months of support
            o Debian releases have 3 years of support
            o Ubuntu LTS release have 5 years of support
            o SUSE Linux releases have 7 years of support *
            o RHEL releases have 10 years of support *

            * Commercial GNU/Linux distros.

            There's lots of choice and diversity out there for desktop OSs with Apple, Microsoft, GNU/Linux, BSD and Qubes OS. If Apple's OS X support (note: I also wish that Apple had a formal lifecycle support policy for its products) is too short for your taste, needs, whatever, then use something else.
            Rabid Howler Monkey
          • Be nice if we knew what the policy was.

            As you said: "(note: I also wish that Apple had a formal lifecycle support policy for its products)" - since it's not published, it's impossible to evaluate whether it's appropriate for anyone's needs.

            Apple needs to stop acting like the underfunded company they were back in 2000 and start acting responsibly.
        • Some people are stuck on EOL'ed Snow Leopard.

          Great point.

          But Snow Leopard was also the last version of OSX to support PowerPC applications. So some people are stuck on Snow Leopard.

          I performed some research on this; and apparently the company that made the emulator was acquired by IBM. My guess is the original developer of Rosetta got tired of being jerked around by Apple. I can't blame them. I think it's fascinating that Apple's Legal team can obtain a $1B award against Samsung, yet can't properly negotiate a licensing contract to ensure functionality.

          Apple has real poor documentation and every incremental upgrade usually means some additional software has to be upgraded. This is likely why Apple will always have trouble with maintenance and upkeep. Even the "Free Upgrade" to Mavericks isn't free. I had to buy new software.
  • Snow Leopard

    Anybody, anybody, on the question: Does this mean Safari is or isn't safe to use in 10.6.8 (Snow Leopard)?
    • Re: Safari 5.1.10 on Snow Leopard....

      As Snow Leopard sid not receive the Safari 6 update as Lion did I would suggest either using Google Chrome or my preference Opera as your default browser
  • Thanks Larry, keep the pressure on

    Who knows we might yet drag Apple out of the last century on security.
  • Maybe That's Why

    There was much concern last week that iOS was patched and OSX was not. Maybe all the other fixes is why.
  • Apple still disses corporate customers

    Apple's arrogance, slow security fixes, dropping support of a still widely used O/S, etc. helps to explain why Apple has never made it in the corporate market.

    Yes the iPhone is the exception but its computers and servers don't have the market share that its technology should demand.

    Irresponsible statements like "If you don 'to like it then switch" is only appropriate for a commodity consumer electronics company. Apple's iPhone put them in the Big Leagues but they still act like pee wee baseball.
  • I have asked Apple too 8-}

    Hey Larry,

    "I have asked Apple why only these three were chosen and will add their response when I get it."

    Guess what, I asked them too, still waiting for them to reply *facepalm*
    Wondering what the ETA is on that! Bad Followup!

    • Snow Leopard si still supported by apple May 2014

      People who stumble upon this post, get worried that snow leopard is not supported anymore, please read this

      Snow Leopard Security update May 2014 ;)