Apple Patches OS X, Safari Bugs

Wednesday, June 5, 2013 @ 04:06 PM gHale


Apple updated OS X and its Safari browser, fixing a pile of security vulnerabilities, many of which could end up used for remote code execution.

The release of OS X Mountain Lion 10.8.4 includes patches for more than 30 bugs, most notably a set of fixes for vulnerabilities in Ruby, some of which are in active exploitation at this point.

RELATED STORIES
Security Fixes for Chrome 27
Google Fixes Holes in Chrome 27
Critical Holes Fixed in Firefox
IE 10 Tops at Malware Blocking

This is a major security fix for OS X and in addition to the large set of patches for Ruby, there also is a long list of fixes for vulnerabilities in OpenSSL. One of the vulnerabilities fixed in OpenSSL is CVE-2012-4929, the bug that covers the compression attack on TLS 1.0 developed by security researchers Thai Duong and Juliano Rizzo. Known as the CRIME attack, the technique enables an attacker to decrypt SSL-protected sessions.

Apple also fixed 12 other vulnerabilities in OpenSSL by updating it to the most recent version, 0.9.8x.

Apple OS X 10.8.4 also fixes a number of vulnerabilities in Ruby that caused weaknesses in applications built on Ruby on Rails.

“Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. This issue may affect OS X Lion or OS X Mountain Lion systems upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility,” Apple said in its advisory.

The patch also includes fixes for several vulnerabilities in QuickTime as well as in other components of the operating system.

As far as Safari goes, the release of Safari 6.0.5 is essentially a massive fix for WebKit. The new version of the browser contains more than 25 patches for WebKit vulnerabilities.



Leave a Reply

You must be logged in to post a comment.