In addition to fixing a high-priority bug in SSL/TLS and shipping numerous feature tweaks and fixes, Apple released a large number of security fixes today to OS X, Safari and QuickTime for Windows.
Surprisingly, in addition to patching the current version OS X 10.9 (Mavericks), updates were also released for OS X 10.7.x (Lion) and OS X 10.8.x (Mountain Lion). In the time since they released Mavericks in October Apple has disclosed and but not patched dozens of vulnerabilities in Mountain Lion. This policy appears to have changed, but most of the vulnerabilities previously unpatched remain unpatched, according to Apple's disclosures.
Many of the OS X vulnerabilities are quite severe. The most interesting one is a vulnerability in Secure Transport in Mountain Lion, Apple's SSL/TLS implementation. (This is the same software component involved with the recent SSL/TLS vulnerability, but not the same problem.) The vulnerability is designated CVE-2011-3389 and was first disclosed on September 6, 2011. It was a vulnerability of some note at the time because it severely compromised a very common set of SSL facilities (CBC in TLS 1.0). Click here for an excellent contemporaneous description.
Apple has a good deal of experience with this vulnerability having now patched it on 8 separate occasions in different programs:
- Ruby in Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
- curl in Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
- Apache in Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
- Apple TV 4.0 through 4.3
- Data Security in iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
- CFNetwork SSL and python in OS X 10.6.x through 10.8.5
- neon (XCode) for OS X Lion v10.7.4 and later
- Secure Transport for OS X Mountain Lion v10.8.5
The remaining vulnerabilities include many with which an attacker could execute privileged code, intercept confidential data or modify files. One vulnerability could allow an unprivileged user to change the system clock.
I could only identify three vulnerabilities patched today which were among the more than 50 patched at the release of Mavericks, all of which were present in Mountain Lion:
- IOSerialFamily: Executing a malicious application may result in arbitrary code execution within the kernel
- App Sandbox: The App Sandbox may be bypassed
- LaunchServices: A file could show the wrong extension
I have asked Apple why only these three were chosen and will add their response when I get it.
Four vulnerabilities were patched in Safari for Lion, Mountain Lion and Mavericks. All four are in the Webkit browser engine, and are memory corruption vulnerabilities with which an attacker could execute arbitrary code by getting the user to visit a malicious web site.
All ten vulnerabilities in QuickTime for Windows could allow remote code execution if the user plays a malicious movie file.