Apple updated its OS X desktop and server operating systems this week with the 10.9 Mavericks release. Mavericks includes over 200 new features and a long list of security updates.
Most of the security components in the Mavericks release are not currently available in the most recent OS X 10.8 update, which provides a good reason for users of older OS X versions to update as soon as possible. The last OS X 10.8 Mountain Lion release prior to this week’s 10.9 Mavericks update is the 10.8.5 release which debuted in September.
One of the new updates in 10.9 is a fix for a vulnerability in OS X’s application firewall. The flaw is identified as CVE-2013-5165 and has an exploitability score of 10, meaning it can be remotely exploited by an attacker without authentication. Apple’s security notification on the issue explains that “the –blockApp option did not properly block applications from receiving network connections.”
Apple fixed three separate vulnerabilities affecting OS X’s CoreGraphics library in the 10.9 update. One of the vulnerabilities could potentially enable an attacker to execute arbitrary code if a malicious PDF file is viewed. There is also a CoreGraphics flaw that could have enabled an application to log keystrokes.
“By registering for a hotkey event, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled,” Apple warned. “This issue was addressed by additional validation of hotkey events.”
The approach known as “sandboxing” isolates processes from each other and the underlying operating system in a bid to reduce risk. As it turns out, Mac OS X prior to the new 10.9 update was vulnerable to an App Sandbox bypass.
“The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process,” Apple stated. “A compromised sandboxed application could abuse this to bypass the sandbox.”
Another boost to sandboxing in Mavericks comes from Adobe. For the first time on Mac OS X, Adobe’s Flash Player running in Apple’s Safari Web browser will work with the Apple App Sandbox.
“By providing this extra layer of protection to Safari users on OS X Mavericks, we can make it one step harder to exploit our mutual customers,” Peleus Uhley, platform security strategist at Adobe, wrote in a blog post. “The result is that customers can still view Flash Player content while benefiting from these added security protections.”
The Mavericks release also includes several key data and transport encryption improvements. For the first time Apple OS X is now enabling TLS 1.2, which is a more recent and more secure implementation of transport layer security. Prior to the Mavericks release, OS X only supported the SSLv3 and TLS 1.0 versions of SSL.
“These versions are subject to a protocol weakness when using block ciphers,” Apple warned. “A man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data.”
The OS X 10.9 release also improves Mac security by disabling support for X.509 security certificates that were protected by MD5 hashes. All versions of OS X prior to 10.9 support MD5 hashes, which were recently proved to be insecure.
“Further research or a misconfigured certificate authority could have allowed the creation of X.509 certificates with attacker controlled values that would have been trusted by the system,” Apple warned. “This would have exposed X.509 based protocols to spoofing, man in the middle attacks, and information disclosure.”
While Apple has not provided a system wide update for older versions of Mac OS X, it is updating the Safari Web browser. The Mavericks release includes the new Safari 7.0 release, which provides support for Apple’s iCloud keychain that enables users to save passwords in iCloud and use them across authorized Apple devices.
For older versions of Mac OS X, Apple now has a Safari 6.1 update which provides a long list of security updates. All of the security focused updates in Safari 6.1 are also included in Safari 7.0
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.