ID: IRCNE2014022118
Date: 2013-02-26
According to "zdnet", in addition to fixing a high-priority bug in SSL/TLS and shipping numerous feature tweaks and fixes, Apple released a large number of security fixes today to OS X, Safari and QuickTime for Windows.
There were 33 vulnerabilities patched in OS X, four in Safari and 10 in QuickTime for Windows.
Surprisingly, in addition to patching the current version OS X 10.9 (Mavericks), updates were also released for OS X 10.7.x (Lion) and OS X 10.8.x (Mountain Lion). In the time since they released Mavericks in October Apple has disclosed and but not patched dozens of vulnerabilities in Mountain Lion. This policy appears to have changed, but most of the vulnerabilities previously unpatched remain unpatched, according to Apple's disclosures.
Many of the OS X vulnerabilities are quite severe. Apple has a good deal of experience with this vulnerability having now patched it on 8 separate occasions in different programs:
- Ruby in Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
- curl in Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
- Apache in Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
- Apple TV 4.0 through 4.3
- Data Security in iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
- CFNetwork SSL and python in OS X 10.6.x through 10.8.5
- neon (XCode) for OS X Lion v10.7.4 and later
- Secure Transport for OS X Mountain Lion v10.8.5
The remaining vulnerabilities include many with which an attacker could execute privileged code, intercept confidential data or modify files. One vulnerability could allow an unprivileged user to change the system clock.
Four vulnerabilities were patched in Safari for Lion, Mountain Lion and Mavericks. All four are in the Webkit browser engine, and are memory corruption vulnerabilities with which an attacker could execute arbitrary code by getting the user to visit a malicious web site.
All ten vulnerabilities in QuickTime for Windows could allow remote code execution if the user plays a malicious movie file.
Related Links:
Apple promises to fix OS X encryption flaw 'very soon'
- 2