Apple Security Fixes in OS X

Friday, March 15, 2013 @ 03:03 PM gHale

Apple released a large batch of security fixes Thursday for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser.

OS X 10.8.3 fixes 21 vulnerabilities, and also includes a new version of the malware removal tool for Apple machines.

Apple Mends App Store Holes
One More iPhone Bug Found
Developer Site Zero Day Attack Source
Apple Working on Fix to Update

The latest set of patches for Apple OS X consists of important security patches, but the most interesting one is the fix for the Java issue. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn’t quite enough to protect users of some versions of OS X.

“Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled. Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory,” Apple said in its advisory.

An attacker could use the vulnerabilities in OS X that Apple fixed for remote code execution. One of those is a buffer overflow in QuickTime that could allow an attacker to run arbitrary code on a vulnerable machine. Among the other fixes in the update is a change that revokes trust in some fraudulent SSL certificates issued by TURKTRUST.

“Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates,” Apple said.

Leave a Reply

You must be logged in to post a comment.