Apple’s Big Security Update

Wednesday, June 29, 2011 @ 11:06 PM gHale


While Apple is not a huge player in the manufacturing arena, the company still has an influence in the industry. Apple released a massive set of security updates for Mac OS X and a number of other applications, fixing 39 separate vulnerabilities in programs including QuickTime, MobileMe and others.

The company also released OS X 10.6.8.

One of the more serious bugs Apple fixed with the huge patch release is a vulnerability in OS X’s certificate trust policy, which governs the ways in which users’ systems handle digital certificates. The vulnerability can allow an attacker who already has a foothold on a network to eavesdrop and intercept users’ credentials or other sensitive data.

“An error handling issue existed in the Certificate Trust Policy. If an Extended Validation (EV) certificate has no OCSP URL, and CRL checking is enabled, the CRL will not be checked and a revoked certificate may be accepted as valid. This issue is mitigated as most EV certificates specify an OCSP URL,” Apple said in its advisory. Two Google researchers identified and reported the certificate trust policy issue.

Apple also released patches for five individual vulnerabilities in QuickTime, which is one of the more widely deployed applications on the Web. It’s the default media player for OS X users, and a hacker can use all of the vulnerabilities that Apple fixed to run arbitrary code on remote machines.

In addition to the QuickTime and certificate bugs, Apple also fixed eight separate flaws in its MySQL implementation in OS X. The application, which ships with OS X Server, had several bugs that could work for remote code execution. There also were five vulnerabilities in the company’s OpenSSL implementation. Hackers could use that vulnerability for remote code execution, as well.



Leave a Reply

You must be logged in to post a comment.