X
Tech

Apple issues many security updates for OS X, including Lion and Mountain Lion

A total of 37 vulnerabilities for OS X users and ten for QuickTime for Windows are patched. Apple finally begins patching Mountain Lion again.
Written by Larry Seltzer, Contributor

In addition to fixing a high-priority bug in SSL/TLS and shipping numerous feature tweaks and fixes, Apple released a large number of security fixes today to OS X, Safari and QuickTime for Windows.

There were 33 vulnerabilities patched in OS Xfour in Safari and 10 in QuickTime for Windows.

Surprisingly, in addition to patching the current version OS X 10.9 (Mavericks), updates were also released for OS X 10.7.x (Lion) and OS X 10.8.x (Mountain Lion). In the time since they released Mavericks in October Apple has disclosed and but not patched dozens of vulnerabilities in Mountain Lion. This policy appears to have changed, but most of the vulnerabilities previously unpatched remain unpatched, according to Apple's disclosures.

Many of the OS X vulnerabilities are quite severe. The most interesting one is a vulnerability in Secure Transport in Mountain Lion, Apple's SSL/TLS implementation. (This is the same software component involved with the recent SSL/TLS vulnerability, but not the same problem.) The vulnerability is designated CVE-2011-3389 and was first disclosed on September 6, 2011. It was a vulnerability of some note at the time because it severely compromised a very common set of SSL facilities (CBC in TLS 1.0). Click here for an excellent contemporaneous description.

Apple has a good deal of experience with this vulnerability having now patched it on 8 separate occasions in different programs:

The remaining vulnerabilities include many with which an attacker could execute privileged code, intercept confidential data or modify files. One vulnerability could allow an unprivileged user to change the system clock.

I could only identify three vulnerabilities patched today which were among the more than 50 patched at the release of Mavericks, all of which were present in Mountain Lion:

  • IOSerialFamily: Executing a malicious application may result in arbitrary code execution within the kernel
  • App Sandbox: The App Sandbox may be bypassed
  • LaunchServices: A file could show the wrong extension

I have asked Apple why only these three were chosen and will add their response when I get it.

Four vulnerabilities were patched in Safari for Lion, Mountain Lion and Mavericks. All four are in the Webkit browser engine, and are memory corruption vulnerabilities with which an attacker could execute arbitrary code by getting the user to visit a malicious web site.

All ten vulnerabilities in QuickTime for Windows could allow remote code execution if the user plays a malicious movie file.

Editorial standards