Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Apple Update Fixes Remote Code Execution Flaws in Mac OS X

Apple addressed over thirty serious vulnerabilities in OS X and Safari Web browser in a hefty update this week. 

The updates address vulnerabilities in Mac OS X Mountain Lion (10.8), Lion (10.7), and Snow Leopard (10.6), Apple said in its advisory Tuesay. The update for Mountain Lion, OS X 10.8.4, includes the update to Safari 6.0.5. Lion and Snow Leopard users will need to apply Security Update 2013-002.

Apple addressed over thirty serious vulnerabilities in OS X and Safari Web browser in a hefty update this week. 

The updates address vulnerabilities in Mac OS X Mountain Lion (10.8), Lion (10.7), and Snow Leopard (10.6), Apple said in its advisory Tuesay. The update for Mountain Lion, OS X 10.8.4, includes the update to Safari 6.0.5. Lion and Snow Leopard users will need to apply Security Update 2013-002.

A sizable number of security issues fixed in these updates, if exploited, would have resulted in remote code execution on the affected Mac, Apple said. Other flaws would have exposed sensitive information, create denial-of-service conditions, or allow attackers to bypass security controls, according to the advisory.

“US-CERT encourages users and administrators to review Apple Security article HT5784 and apply any necessary updates to help mitigate these risks,” US-CERT said in its alert.

The new Safari, version 6.0.5, fixed 23 distinct remote code execution vulnerabilities and three cross-site scripting flaws. The issues were all related to the WebKit engine that powers the browser. Apple released a separate advisory for Safari.

“Multiple memory corruption issues existed in WebKit,” Apple said in its advisory.

Apple fixed several remote code execution bugs in the operating system, such as one in the CoreAnimation component, where users browsing to a maliciously crafted URL could be compromised, and in the Playback component, where users could be compromised via a maliciously crafted movie file. Apple also updated QuickTime to close remote code execution holes which could be exploited by maliciously crafted MP3, FPX, QTIF, and other movie files. 

A serious memory corruption vulnerability was also fixed in the Directory Service component in Snow Leopard. Directory Service tracks user and group authentication information used by platforms such as Active Directory, AppleTalk, Bonjour, and LDAP. The directory server handled messages from the network improperly, according to Core Security, who Apple credited for identifying the flaw..

“By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges,” Core Security said in its own advisory.

Apple also updated the version of Ruby currently being shipped in OS X Lion and Mountain Lion to version 2.3.18. Multiple vulnerabilities have recently been identified in Ruby on Rails, the most serious of which could allow attackers to remotely execute code on systems running Rails applications, Apple said. These issues are already being exploited in the wild.

Finally, Apple fixed 13 issues in OpenSSL, one of which would allow attackers to launch the CRIME attack, initially developed by security researchers Thai Duong and Juliano Rizzo. The compression attack on TLS 1.0 allowed attackers to decrypt SSL-protected sessions.

Written By

Click to comment

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...