Apple Shuts OS X Security Holes

Monday, September 24, 2012 @ 03:09 PM gHale

Apple released updates for versions 10.6 (Snow Leopard), 10.7 (Lion) and 10.8 (Mountain Lion) of its Mac OS X operating system that close a number of critical security holes.

Mac OS X 10.8.2 and 10.7.5, and Security Update 2012-004 for Mac OS X 10.6.8 address a wide range of security vulnerabilities. These include information disclosure and denial-of-service (DoS) problems, bugs in the sandbox that could allow a malicious program to bypass restrictions, memory corruption bugs, and buffer and integer overflows.

RELATED STORIES
Apple Fixes Security in ARD 3.5
Stolen iOS Data Surfaces, Sort Of
Govt Report: Record Exposure Booms
FBI Hacked; 12M IDs Breached

An attacker could exploit quite a few of those holes to cause unexpected application termination or arbitrary code execution, Apple said. Among the changes in the updates are new versions of Apache, the BIND DNS server, International Components for Unicode, the kernel, Mail.app, PHP, Ruby and the QuickTime media player, all of which correct security problems.
In addition to the fixes in Mac OS X 10.7.5, the update also includes Gatekeeper, a security feature from 10.8 Mountain Lion. By default, this feature automatically rejects applications not signed with a valid Apple-issued Developer ID, but this setting can change. Gatekeeper includes three levels of security for running applications downloaded from the Internet: “Mac App Store,” “Mac App Store and identified developers” and “Anywhere.” The first of these only runs applications downloaded from the Mac App Store, while the second option only allows applications from the store and from developers who have signed their program with their Developer ID. The last option allows all applications to run, regardless of whether have a Developer ID or not.
The company also released an update to its Safari web browser, version 6.0.1. This first update to Safari 6 from July addresses multiple information disclosure vulnerabilities, including one which could allow Autofill contact information send over to maliciously crafted web sites. The majority of the holes closed in Safari were memory corruption bugs found in its WebKit browser engine which an attacker could exploit to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted web site.



Leave a Reply

You must be logged in to post a comment.