My next class:

Apple releases OS 10.8.4

Published: 2013-06-05. Last Updated: 2013-06-05 02:43:44 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Apple released the next update for OS X, 10.8.4. Eventually, we should learn more about the security content of the update, but at this point, the security page has not been updated yet [1]. 

However, Apple did distribute a list of patched vulnerabilities via e-mail (thanks Dave for sharing). The update fixes a total of 33 vulnerabilities. Here are some of the highlights:

 

OS 10.8.4 Update Overview
  CVE # Component Affected Versions  
2013-0982 CFNetwork 10.8 - 10.8.3 data leakage (authentication cookies)
2013-0983 CoreAnimation 10.8 - 10.8.3 code execution
2013-1024 CoreMedia 10.7-10.7.5 (Server
10.8-10.8.3
code execution
2013-5519 CUPS 10.8-10.8.3 priv. escalation
2013-0984 Directory Service 10.6.8 remote code execution as system
2013-0985 Disk Management 10.8-10.8.3 data leakage (disable file vault)
2012-4829 OpenSSL 10.6.8, 10.7-10.7.5, 10.8-10.8.3 data leakage ("CRIME" attack)
multiple OpenSSL 10.6.8, 10.7-10.7.5, 10.8-10.8.3 DoS, data leakage
2013-0987 QuickTime QTIF Files 10.6.8, 10.7-10.7.5, 10.8-10.8.3 code execution
2013-0988 QuickTime FPX Files 10.6.8., 10.7-10.7.5, 10.8-10.8.3 code execution
2013-0989 QuickTime MP3 Files 10.8-10.8.3 code execution
multiple Ruby on Rails 10.6.8 code execution (EXPLOITED)
2013-0990 SMB 10.7-10.7.5, 10.8-10.8.3 authenticated user may write files outside of shared directory

Other changes:

Gatekeeper will check downloaded JNLP applications and may require a valid developer ID certificate.

In addition, this update includes Safari 6.0.5 with various improvements / security fixes not listed here. 

Safari 6.0.5 patches a total of 23 arbitrary code execution vulnerabilities, two cross site scriting issue and one problem with the XSS Auditor that may cause form submissions to be altered.

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple os x
6 comment(s)
My next class:

Comments

Typo above: CVE-2013-5519 here really means CVE-2012-5519; it was known publicly and the vendor notified almost 7 months ago. A user who could configure printers could also read/overwrite any file on that system.

I'd never seen a detailed list before of the vulnerabilities that are patched in OS X. The attack surface is so broad here, from network services to multimedia codecs. People don't use these devices for anything important, do they? Like accessing their email, Internet banking, software development...
OS X 10.8.4 update information - http://support.apple.com/kb/HT5730

Security content, - http://support.apple.com/kb/HT5784

Safari 6.0.5 security content - http://support.apple.com/kb/HT5785

The combo updater download is about 900 meg. It took about 20 minutes to install on a 2012 MacBook Pro running 10.8.3.
p.s. Steven, the attack surface doesn't seem any broader than the average Windows or Linux update...
Looks like there's also a Security Update 2013-002 for both Lion and Snow Leopard. Can anyone explain Apple's patch release policies to me; thought they only support the 2 most current versions. Did that end w/ their Java debacle?
Re: Apple software update lifecycle

Actually, its a -2 methodology. They support the existing OS version currently being installed and the two previous. So that would mean everything back to 10.6.x (snowleopard) is still being supported. When they go to a 10.9, then you will effectively only get updates for 10.7 and later.
Seems that not too long ago it was -1 strategy (http://www.computerworld.com/s/article/9231513/Apple_goes_against_grain_extends_support_for_Snow_Leopard)

Diary Archives