Apple OS X users - it's Security Update time again!

Filed Under: Vulnerability, Apple, Featured, OS X

Apple's latest large-scale OS X security updates are out.

If you're a Snow Leopard (OS X 10.6) user, you'll need the 200Mbyte Security Update 2012-001, which requires you to be at the latest point release of that version first.

(That's 10.6.8, which came out back in June 2011. You updated to 10.6.8 long ago, did you not?)

If you're using Lion (OS X 10.7), you get 700MBytes to 1.4Gbytes (depending on what sub-version of 10.7 you are currenly using) of full-blown new point release, which takes you to 10.7.3.

A reboot is required on both Snow Leopard and Lion.

Apple's description of the security issues fixed in these updates can be found in Support Article HT5130.

This sounds like the sort of update you would ignore at your peril.

It includes 39 fixes, addressing 52 different Common Vulnerabilities and Exposures (CVE) issues (plus one problem - various dodgy SSL certificates - not covered by a CVE identifier).

19 of the fixes are for problems listed with an impact of arbitrary code execution. That's vulnerability-speak for "could perhaps be used by a cybercrook for a drive-by infection." These now-patched exploitable vulnerabilities involved a wide range of file types.

In most cases, simply using a data file could have been enough to expose you to the vulnerability, for example: previewing a font, listening to an audio file, watching a video, viewing an image, or reading a PDF document.

Since data files aren't supposed to contain executable code - or, if they do, that code is supposed to be just-so-much harmless data - we quite reasonably treat images, podcasts, videos and so forth as implicitly safe for Macs and PCs.

So cybercrooks adore remote code execution vulnerabilities which let them sneak program code onto your computer under perfectly innocent-looking cover. The crooks are willing to pay good money for data-borne exploits; you need to be willing to patch the underlying vulnerabilities as soon as you can.

Over to you. Click on the Apple menu, choose Software Update..., and take it from there!


-

, , , , , , ,

You might like

5 Responses to Apple OS X users - it's Security Update time again!

  1. Jon Fukumoto · 994 days ago

    Downloaded it and my system is up to date. How about everyone else out there?

  2. jodydraws · 993 days ago

    I'm getting there, downloading now. Better sooner than later.

  3. Rsosborne · 993 days ago

    that's a big update!

    thanks

  4. Jim · 993 days ago

    Still trying to understand how data you read as data ever gets to a part of the process that would even try to interpret it as executable code. Anyone care to educate me?

    • Paul Ducklin · 993 days ago

      In practice, it's kinda complex to get right...but here it is in theory :-)

      Imagine you can create a malformed data file for application X which crashes X because of vulnerability Y.

      Now imagine that you can work out how to orchestrate/tweak/aim the crash so that the code path taken by the CPU wanders into (or is controlled by) the malformed data area. Remember that the malformed data is entirely under your control.

      Further, remember that the malformed data entirely under your control may be deliverable under innocent-looking cover, via a web page from an otherwise-innocent outside source (e.g. as an embedded font, a PDF, a PNG, a podcast, or a video).

      If you can do all of that, you have found remote code execution exploit Z against vulnerability Y in application X.

      You can now sell Z to the highest bidder, if your conscience will permit you.

  5. Theresa J · 992 days ago

    DON'T DO IT if you're still using Quicken 2007!!! The security update hoses it. Although I was able to open Quicken, I am no longer able to import downloaded transactions or export to use in another program (I heard this was happening from someone on VMWare's forums) without Quicken crashing. This update apparently got rid of Rosetta, required for many legacy programs to run. I guess Intuit's Spring release of a patch so Q2007 would run on Lion just wasn't fast enough for Apple's tastes. Thank goodness I hadn't done the security update on my laptop yet, so I can run Quicken there, but I don' like to keep financial info on my laptop.

    After Apple's 7.6 update for Airport that hosed people's internet connections (so they had to downgrade their update) (including mine), and now this, you can bet I'm going to hold off before letting Apple update my software again. It's either negligence or arrogance, or maybe both, that cause this to do this to their customers.

    Uninstalling and reinstalling Quicken does nothing to help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog