Apple Shuts More OS X, Safari Flaws

Tuesday, May 15, 2012 @ 07:05 PM gHale


Apple closed critical vulnerabilities in Mac OS X and its components with the 10.7.4 Mac OS X Lion update and security update 2012-002 for 10.6.

The most prominent fix in this update stops Lion from storing plain text passwords. Due to a mistake in the previous update, Lion stored the passwords of users who mounted their home/user directory from a network volume (NFS, AFP or SMB) in the system log unencrypted and readable by anyone with admin or physical access.

RELATED STORIES
Apple Programming Error
iPhone Security Holes Patched
Hacked Sites Load up for Android
Beware: TigerBot can Control Android

Those who continued to use the first version of the FileVault encryption after upgrading from Snow Leopard to Lion also suffered from the issue. The problem was from a forgotten debug option left enabled in the HomeDirMounter.

As the update does not have the ability to delete the accidentally stored data, Apple provided instructions on how to track down log files that could potentially contain plain text passwords. The company has also closed a hole in the kernel that, despite activating FileVault, it caused unencrypted files to stay behind when Lion was in hibernation.

Further vulnerabilities ended up fixed in components such as the LoginUIFramework, where a race condition allowed guest users of Lion to log in as another user without having to enter a password.

Apple has also closed a hole in the HFS filesystem that allowed Lion systems to suffer from infection via malicious code by mounting a specially crafted disk image. Curl now gets protection against problems such as the “BEAST” attacks on encrypted connections. Developers also fixed various non-security issues.

Apple also released another security update for its Safari browser for Mac OS X and Windows. A memory corruption issue in WebKit allowed systems to fall victim to malicious code when a user visited a specially crafted web page. Another hole enabled a specially crafted page to fill in forms on other pages. Apple also fixed a cross-site scripting hole discovered at Google’s Pwnium hacker contest.



Leave a Reply

You must be logged in to post a comment.