Apple's OS X and Safari get biggish security fixes

Rusli

URL:- http://nakedsecurity.sophos.com/2013/06/05/apples-os-x-and-safari-get-biggish-security-fixes/

 

Apple's OS X and Safari get biggish security fixes

Join thousands of others, and sign up for Naked Security's newsletter

 

by Paul Ducklin on June 5, 2013 | 2 Comments

FILED UNDER: Apple, Apple Safari, Featured, Security threats, Vulnerability

Apple has published updates for all supported versions of OS X, namely Mountain Lion (10.8), Lion (10.7) and Snow Leopard (10.6).

The operating system part of this update fixes numerous holes in eleven distinct parts of OS X.

This includes patches for security vulnerabilities in components that are themselves responsible for security.

Affected components include Directory Services (remote code execution), OpenSSL (information disclosure) and SMB (information disclosure).

Version 6 of Apple's Safari browser gets an update at the same time.

The executive summary of the Safari update notes merely that it "improves stability for some websites with chat features and games," but the security summary is the important one.

Safari 6.0.5 deals with no fewer than 23 CVE-listed remote code execution vulnerabilities.

That's the sort of bug that can lead to infection-just-by-browsing, where malicious software delivered into your browser manages to escape and execute outside your browser without stopping to ask for permission.

Additional patches to Safari 6.0.5 close off three cross-site scripting (XSS) vulnerabilities.

XSS is a problem because it can allow crooks to trick you into interacting with a malicious site by sucking dodgy content into the browser window of a legitimate site, effectively "borrowing" the genuine site's trustworthiness.

Updates by version

Mountain Lion users get a full-on point update to OS X 10.8.4. This update includes the update to Safari 6.0.5.

Snow Leopard and Lion users get Security Update 2013-002.

Note that the 2013-002 update deals only with the non-Safari vulnerabilities, so Lion users need a separate update to get to Safari 6.0.5. (Snow Leopard is still stuck on Safari 5, which doesn't get an update.)

If you simply let Apple's Software Update do the work for you, you won't have to worry about how to find the conponents of the update, though you'll may never find out quite what the update was all about.

That's OK, but for those of a more inquisitive disposition, here's a guide to the relevant articles amongst Apple's knowledgebase and download pages.

→ The second-listed Mountain Lion update below is what Apple calls a "Combo," and allows you to upgrade from any 10.8 version directly to 10.8.4 without updating to each point release in between. The "Combo" update is useful to keep up your sleeve for fresh OS X installs, where you may emerge from the installation process with a fully functional but entirely unpatched system.

If you have: Size KB page Download page

Mountain Lion 10.8.3	342 MB	HT5784	DL1658
Mountain Lion (any)	801 MB	HT5784	DL1659
Snow Leopard 10.6.8	330 MB	HT5784	DL1660
Lion 10.7.5	58 MB	HT5784	DL1661
Lion Server	106 MB	HT5784	DL1662
Snow Leopard Server	405 MB	HT5784	DL1663
Safari 6	???	HT5785	???

I haven't listed a download link for Safari 6.0.5 for the rather simple reason that I can't find one.

Apple's official product announcement says only that "for OS X Lion systems Safari 6.0.5 is available via the Apple Software Update application," so I suggest you simply update that way.