Apple addressed over thirty serious vulnerabilities in OS X and Safari Web browser in a hefty update this week.
The updates address vulnerabilities in Mac OS X Mountain Lion (10.8), Lion (10.7), and Snow Leopard (10.6), Apple said in its advisory Tuesay. The update for Mountain Lion, OS X 10.8.4, includes the update to Safari 6.0.5. Lion and Snow Leopard users will need to apply Security Update 2013-002.
A sizable number of security issues fixed in these updates, if exploited, would have resulted in remote code execution on the affected Mac, Apple said. Other flaws would have exposed sensitive information, create denial-of-service conditions, or allow attackers to bypass security controls, according to the advisory.
“US-CERT encourages users and administrators to review Apple Security article HT5784 and apply any necessary updates to help mitigate these risks,” US-CERT said in its alert.
The new Safari, version 6.0.5, fixed 23 distinct remote code execution vulnerabilities and three cross-site scripting flaws. The issues were all related to the WebKit engine that powers the browser. Apple released a separate advisory for Safari.
“Multiple memory corruption issues existed in WebKit,” Apple said in its advisory.
Apple fixed several remote code execution bugs in the operating system, such as one in the CoreAnimation component, where users browsing to a maliciously crafted URL could be compromised, and in the Playback component, where users could be compromised via a maliciously crafted movie file. Apple also updated QuickTime to close remote code execution holes which could be exploited by maliciously crafted MP3, FPX, QTIF, and other movie files.
A serious memory corruption vulnerability was also fixed in the Directory Service component in Snow Leopard. Directory Service tracks user and group authentication information used by platforms such as Active Directory, AppleTalk, Bonjour, and LDAP. The directory server handled messages from the network improperly, according to Core Security, who Apple credited for identifying the flaw..
“By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges,” Core Security said in its own advisory.
Apple also updated the version of Ruby currently being shipped in OS X Lion and Mountain Lion to version 2.3.18. Multiple vulnerabilities have recently been identified in Ruby on Rails, the most serious of which could allow attackers to remotely execute code on systems running Rails applications, Apple said. These issues are already being exploited in the wild.
Finally, Apple fixed 13 issues in OpenSSL, one of which would allow attackers to launch the CRIME attack, initially developed by security researchers Thai Duong and Juliano Rizzo. The compression attack on TLS 1.0 allowed attackers to decrypt SSL-protected sessions.
