Apple closes security holes in Mac OS X and Safari
Apple has released updates for versions 10.6 (Snow Leopard), 10.7 (Lion) and 10.8 (Mountain Lion) of its Mac OS X operating system that close a number of critical security holes. Mac OS X 10.8.2 and 10.7.5, and Security Update 2012-004 for Mac OS X 10.6.8 address a wide range of security vulnerabilities. These include information disclosure and denial-of-service (DoS) problems, bugs in the sandbox that could allow a malicious program to bypass restrictions, memory corruption bugs, and buffer and integer overflows. According to Apple, many of these could be exploited by an attacker to cause unexpected application termination or arbitrary code execution. Among the changes in the updates are new versions of Apache, the BIND DNS server, International Components for Unicode, the kernel, Mail.app, PHP, Ruby and the QuickTime media player, all of which correct security problems.
In addition to the fixes in Mac OS X 10.7.5, the update also includes Gatekeeper, a security feature from 10.8 Mountain Lion. By default, this feature automatically rejects applications that have not been signed with a valid Apple-issued Developer ID, but this setting can be changed. Gatekeeper includes three levels of security for running applications downloaded from the internet: "Mac App Store", "Mac App Store and identified developers" and "Anywhere". The first of these only runs applications downloaded from the Mac App Store, while the second option only allows applications from the store and from developers who have signed their program with their Developer ID. The last option allows all applications to run, regardless of whether they are signed with a Developer ID or not.
The company also released an update to its Safari web browser, version 6.0.1. This first update to Safari 6 from July addresses multiple information disclosure vulnerabilities, including one which could allow Autofill contact information to be sent to maliciously crafted web sites. As usual, the majority of the holes closed in Safari were memory corruption bugs found in its WebKit browser engine which could, for example, be exploited by an attacker to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted web site.
Further details about the vulnerabilities closed, including a full list of fixes, can be found in Apple's security advisories. Mac OS X 10.8.2 (Client Standard Update, Client Combo Update, Mac OS X 10.7.5 (Client Standard Update, Client Combo Update, Server Standard Update, Server Combo Update) and Security Update 2012-004 (Client, Server) for Mac OS X 10.6 are available from Apple's Support Downloads page; at the time of writing, Safari 6.0.1 is not yet listed for download from the site. Alternatively, Mac OS X users can upgrade to the latest releases using the built-in Software Update function. All users are advised to upgrade as soon as possible.
- About the security content of OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004, security advisory from Apple.
- About the security content of Safari 6.0.1, security advisory from Apple.