Apple is out with its second major update to Mac OS X this year, with the 10.8.4 update. Security is a big focus in the update, with patches for over 55 vulnerabilities that span the Apple operating system. The 10.8.3 update which was released in March tackled 21 vulnerabilities.
One of the largest buckets of fixes is found in the open source OpenSSL packages for OS X, with at least 12 vulnerabilities being fixed. Among the OpenSSL fixes is one for the CRIME SSL attack that was first publicly disclosed in September of 2012. The attack could have potentially enabled an attacker to decrypt SSL content. The CRIME SSL attack is the successor to the BEAST SSL attack that was first reported in September of 2011.
“There were known attacks on the confidentiality of TLS 1.0 when compression was enabled,” Apple’s advisory states. “This issue was addressed by disabling compression in OpenSSL.”
There is also a serious SMB (Server Message Block) networking protocol vulnerability that is being fixed in the 10.8.4 update. SMB enables files sharing across heterogeneous networks.
“If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory,” Apple warned. “This issue was addressed through improved access control.”
The 10.8.4 update also addresses multiple QuickTime media vulnerabilities. The vulnerabilities could have potentially enabled a malicious attack via movies or music that execute arbitrary code.
Addressing Safari Issues
Apple is also updating its Safari browser to version 6.0.5 for 26 different flaws. Of those flaws, 23 are memory corrruption related issues in the WebKit rendering engine.
“Multiple memory corruption issues existed in WebKit,” Apple noted in its advisory. “These issues were addressed through improved memory handling.”
The majority of the WebKit memory corruption flaws were reported by the Google Chrome Security Team and those associated with it. To date, both Safari and Chrome have been using the open source WebKit engine to underpin their respective browsers.
That’s a situation that is now changing, as Google is leaving WebKit behind and moving to its own Blink engine.
Mac OS X users can get the updates via the Mac App Store or from the Apple Support site.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.