Apple is now out with Mac OS X 10.8.3, the first major update to Apple's flagship operating system in 2013. The new update provides incremental stability and feature bug fixes, including the ability to install Windows 8 with Apple's Boot Camp partitioning feature.
Simple bug fixes are not the reason why Apple users need to concerned, though. Twenty-one security flaws are addressed in the update, including at least 11 that could potentially enable a remote attacker to execute arbitrary code.
Among the high-impact flaws is CVE-2013-0967, which is an update to the OS X CoreType library. The flaw could have enabled an attacker to exploit Java flaws, even on Mac OS X machines where Java was specifically disabled by the user. Security experts have been warning about the risks of Java for months, and in the case of Apple have simply advised users to disable it. But apparently that's not enough.
"Java Web Start applications would run even if the Java plug-in was disabled," Apple warned in its advisory. "This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."
For international Mac OS X users, there is a particularly interesting Unicode flaw that the 10.8.3 update finally fixes. Identified by Apple as CVE-2011-3058, Apple warns that simply visiting a maliciously crafted website may lead to a cross-site scripting attack. The risk is due to an issue in how previous versions of OS X handled EUC-JP language encoding.
Also of particular note is a high-risk flaw in Apple's Identity Services. CVE-2013-0963 describes a flaw that could have enabled an attacker to bypass the Apple ID authentication system.
"If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string," Apple warned. "If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust."
With the 10.8.3 update, Apple is now also finally providing a fix for an SSL certificate authority issue that was first disclosed in January. SSL CA Turktrust issued a pair of invalid certificates for Google. Microsoft, Google and Mozilla all provided updates for the invalid certificate in January.
Image Flaws and Safari
Simply viewing a maliciously crafted image file could have also potentially led to a Mac user being exploited. As part of the 10.8.3 update, Apple is providing at least two separate fixes (CVE-2012-2088 and CVE-2013-0976) to protect users against memory overflow issues that enable images to become attack vectors.
Apple is also updating its Safari Web browser to version 6.0.3. All of the security fixes for Safari are WebKit related, with at least eight issues found by Google's Chrome security team.
Both Safari and Chrome leverage the open source WebKit as the core rendering engine. Surprisingly, though Chrome was exploited in the recent Pwn2own browser hacking competition, Safari was not.