Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Apple Update Fixes Remote Code Execution Flaws in Mac OS X

Apple addressed over thirty serious vulnerabilities in OS X and Safari Web browser in a hefty update this week. 

The updates address vulnerabilities in Mac OS X Mountain Lion (10.8), Lion (10.7), and Snow Leopard (10.6), Apple said in its advisory Tuesay. The update for Mountain Lion, OS X 10.8.4, includes the update to Safari 6.0.5. Lion and Snow Leopard users will need to apply Security Update 2013-002.

Apple addressed over thirty serious vulnerabilities in OS X and Safari Web browser in a hefty update this week. 

The updates address vulnerabilities in Mac OS X Mountain Lion (10.8), Lion (10.7), and Snow Leopard (10.6), Apple said in its advisory Tuesay. The update for Mountain Lion, OS X 10.8.4, includes the update to Safari 6.0.5. Lion and Snow Leopard users will need to apply Security Update 2013-002.

A sizable number of security issues fixed in these updates, if exploited, would have resulted in remote code execution on the affected Mac, Apple said. Other flaws would have exposed sensitive information, create denial-of-service conditions, or allow attackers to bypass security controls, according to the advisory.

“US-CERT encourages users and administrators to review Apple Security article HT5784 and apply any necessary updates to help mitigate these risks,” US-CERT said in its alert.

The new Safari, version 6.0.5, fixed 23 distinct remote code execution vulnerabilities and three cross-site scripting flaws. The issues were all related to the WebKit engine that powers the browser. Apple released a separate advisory for Safari.

“Multiple memory corruption issues existed in WebKit,” Apple said in its advisory.

Advertisement. Scroll to continue reading.

Apple fixed several remote code execution bugs in the operating system, such as one in the CoreAnimation component, where users browsing to a maliciously crafted URL could be compromised, and in the Playback component, where users could be compromised via a maliciously crafted movie file. Apple also updated QuickTime to close remote code execution holes which could be exploited by maliciously crafted MP3, FPX, QTIF, and other movie files. 

A serious memory corruption vulnerability was also fixed in the Directory Service component in Snow Leopard. Directory Service tracks user and group authentication information used by platforms such as Active Directory, AppleTalk, Bonjour, and LDAP. The directory server handled messages from the network improperly, according to Core Security, who Apple credited for identifying the flaw..

“By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges,” Core Security said in its own advisory.

Apple also updated the version of Ruby currently being shipped in OS X Lion and Mountain Lion to version 2.3.18. Multiple vulnerabilities have recently been identified in Ruby on Rails, the most serious of which could allow attackers to remotely execute code on systems running Rails applications, Apple said. These issues are already being exploited in the wild.

Finally, Apple fixed 13 issues in OpenSSL, one of which would allow attackers to launch the CRIME attack, initially developed by security researchers Thai Duong and Juliano Rizzo. The compression attack on TLS 1.0 allowed attackers to decrypt SSL-protected sessions.

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.