Apple Mountain Lion 10.8.2 - lots of bug fixes, no known vices

Filed Under: Apple, Denial of Service, Featured, Vulnerability, Web Browsers

Together with the much-vaunted launch of the iPhone 5 last week came Apple's public release of its latest mobile operating system upgrade, iOS 6.

Not quite as widely-hyped as iOS 6 was another system update that Apple released at the same time: OS X 10.8.2, the second major update to the Mountain Lion product.

With a couple of working days plus a weekend under its belt, OS X Mountain Lion 10.8.2 - and its sibling upgrades, Lion's 10.7.5 and Snow Leopard's Security Update 2012-004 - don't seem to have caused early adopters any major problems.

In short, it looks like a case of "no known vices."

And that raises the question, "Should I stay or should I go?"

I'd suggest, "Go!"

These latest OS X upgrades include 27 separately-documented fixes (not all of them apply to all OS X versions); overall, 95 different CVEs are dispatched, with 12 of the vulnerabilities annotated with the dreaded words "may lead to arbitrary code execution".

Here they are, coalesced into a single table:

Component OS Vulnerability CVEs fixed
Apache SLM DoS 6
BIND LM DoS, Data leakage 2
Apple CoreText L RCE 1
Apple DirectoryService S RCE 1
Apple ImageIO SL RCE 3
Apple Installer L Data leakage 1
OS X Kernel L Sandbox bypass 1
Apple LoginWindow M Password leakage 1
Apple Mail SL Security bypass 1
Apple Mobile Accounts M Password leakage 1
PHP SLM RCE 7
PHP libpng SL RCE 1
Apple Profile Manager L Authentication bypass 1
Apple QuickLook SL RCE 1
Apple QuickTime SL RCE 3
Ruby OpenSSL SL Crypto bypass (SSL/TLS) 1
Apple Safari LM Data leakage 3
TrustWave CA SLM User credential leakage n/a
Apple Unicode support SL RCE 1
OS X USB support L RCE 1
Apple WebKit LM RCE 58

* The initials S, L and M denote that the vulnerability affects Snow Leopard, Lion and Mountain Lion respectively.

* DoS stands for Denial of Service.

* RCE stands for Remote Code Execution.

As often happens with simultaneous upgrades to three different core versions of OS X, there isn't a one-size-fits-all download you can apply.

Mountain Lion users move to 10.8.2, which includes an update from Safari 6.0 to 6.0.1.

The Safari update is critical, as it fixes data leakage vulnerabilities in the browser front-end, as well as potential remote code execution holes in WebKit, OS X's core HTML rendering technology.

Lion users also get a new point release, going to 10.7.5, but don't get Safari 6.0.1 bundled in with it. That's a separate update, predictably called Safari 6.0.1.

On Snow Leopard, the security fixes don't change the OS version. You need Security Update 2012-004. There's no update to Safari or WebKit - Snow Leopard users stay at Safari 5.1.7.

Apple also published an iPhoto update at the same time: if you're on Mountain Lion, as I am, you'll find you have to go to 10.8.2 before you can get the "performance and stability improvements" promised by upgrading iPhoto.

By the way, the new version of OS X Mountain Lion was a 366MByte download; iPhoto on its own clocked in at 373MBytes.

I suspect Apple is trying to tell me something there - I just haven't worked out what it is yet.


-

, , , , , , , , , , ,

You might like

17 Responses to Apple Mountain Lion 10.8.2 - lots of bug fixes, no known vices

  1. Bob · 573 days ago

    I hope they fixed the SD-card issue too. After upgrading to ML 10.8.1 the OS doesn't 'see' any inserted cards anymore

    • Paul Ducklin · 573 days ago

      I upgraded to 10.8.1 the day it came out - didn't have any trouble with SD cards thereafter. Haven't needed to use one yet with 10.8.2 :-)

    • James · 571 days ago

      Upgraded to 10.8.2 MacBook Pro late 2011 edition. I have no problem with SD card slot, Actually, I have never had a problem insertng and opening files on SD cards with Mountain Lion.

  2. Murray A · 573 days ago

    I had a warning from Codeweavers that 10.8.2 knocked out Crossover for Mac, which allows certain Windows based software to be run under OSX. The last I heard Codeweavers was working with Apple to resolve the issue.

    • Paul Ducklin · 573 days ago

      Seems that the problem only affected 3D stuff using OpenGL, e.g. games, and is already fixed. CodeWeavers has an update that was published last Friday. Similar story for the open source WINE (of which Crossover is IIRC a pay-to-play variant).

      VirtualBox also had problems, but is also already fixed.

  3. Bob Kingsley · 573 days ago

    Safari 6.0.1 is only for Lion and Mountain Lion. Click your own link to verify. Snow Leopard is at Safari version 5.1.7.

    We applied the security patches for Snow Leopard and Lion, and everything went OK.

    • Paul Ducklin · 572 days ago

      Oops. I have corrected the article. There is no Safari 6 for Snow Leopard, so there can't be a 6.0.1 :-)

      The "Security Update 2012-004" excludes any Safari or WebKit updates, and there isn't a separate update package (as my own table testifies :-).

      So Snow Leopard was at Safari 5.1.7 before this latest update, and remains at that version afterwards.

      Thanks for pointing this out!

  4. Nigel · 573 days ago

    Back when OS X was innovative, user-friendly, and still growing in its functionality --- a philosophy that arguably peaked with Tiger (10.4) --- I installed upgrades as soon as they became available. That philosophy seems to have turned around with Leopard (10.5), which was bloated and somewhat obtuse. Snow Leopard (10.6) broke new ground in forced obsolescence, immediately dispossessing all PowerPC users. Lion (10.7) was a further insult, disowning Intel Core Duo machine owners (notably the original 17" MacBook Pro...and now the 17" MacBook Pro itself apparently has been orphaned by Apple). I wonder what unpleasant surprises are in store when I install Mountain Kitty (10.8).

    Mac Pro users have reason to be concerned. Snow Leopard is already being forced into obsolescence by an increasing number of software titles whose minimum requirement is 10.7. Meanwhile, I'm running configuration management client and server software that only recently became Lion-compatible. The useful band of hardware and system configurations is steadily narrowing, timewise, and forcing users into an increasingly frequent cycle of hardware and software "upgrades".

    All of this probably seems like business as usual to many Windows users. I know some Windows folks who long ago accepted the fact that they would buy new hardware every two to three years, but it's still a bit of a culture shock for me. In the past, I've expected to get five to six solid years of use out of a Mac. The Macs themselves still easily last that long, but the software changes so rapidly that the machines are forced into obsolescence sooner now. It’s becoming a necessity to run stable, long-term workhorse machines, supplemented by newer “bleeding edge” systems.

    Couple that with the deterioration of user-friendliness for which the Mac used to be famous (for example, try searching for an invisible file with the Finder these days; and the entire user Library folder is invisible as of 10.7…WTF?), and I too find myself thinking, “I suspect Apple is trying to tell me something here - I just haven't worked out what it is yet.”

    • Paul Ducklin · 572 days ago

      Midnight Commander (get the MacPorts version) is your file system navigational friend :-)

      • Nigel · 572 days ago

        Thanks for the tip, Paul, but I've found other solutions that solve the problem. My point was that it's baffling to me that Apple has moved in the direction of making the system less accessible to users with the tools included in the system itself.

        It's incomprehensible to me that Mac users (unless they want to use command line in the Console.app; I don't) have to find third-party GUI applications for everyday functionality like finding things on their computers. That is not consistent with what the system used to be.

        In an effort to find out why, I submitted it to Apple as a support case last year. Naturally, the support tech couldn't answer the question, so the case ended up getting escalated. After several days of yeoman effort on the part of the person who handled the case, she was forced to admit that it doesn't make much sense, but "that's just the way it is now".

        I already knew that. If no one at Apple can provide a rational explanation for making the system less accessible and more opaque to the user, then it does make me wonder whether the folks at Apple are losing their way.

  5. Ruth McKennell · 572 days ago

    10.8.2 crashes mail when using multiple accounts. On my second MBPr and as soon as I did updates same issue.

    • Paul Ducklin · 572 days ago

      You mean the Apple Mail app? I'll take your word for it.

      (Since moving to 10.8.2, I now have "Mail 6.1 (1498)", which I presume was updated as suggested in the table above, but I am afraid I neglected to record the version I had before, so I can't be certain. Whatever the case, I have two accounts set up - one for in the office and one for out of it - and I can still toggle between them without drama.)

  6. Sam · 572 days ago

    10.8.2 does have a bug!! Updating to 10.8.2 caused my rMBP screen and my external monitor to go black with nothing showing but a big white cursor arrow. This is happening randomly with different external monitors and projectors. My rMBP works fine when it is not plugged into the external monitor. Here is a thread where you can read about the problems people are having. This is a widespread problem, but to complicate things, it is not happening universally.
    https://discussions.apple.com/thread/4312536?star...

    • Paul Ducklin · 572 days ago

      You plug your Retina display into an external monitor? Well...there's your problem - OS X is trying to protect you from resolution disappointment :-)

      (Seriously, I can see you'd need to run a projector for a preso. Non-HDMI connections seem to work fine - I invariably carry just the VGA dongle for seminars and presentations, since that's the lowest common denominator, and the old connectors from my 2010 Macbook Pro work fine :-)

      I guess the solution to this one is along the lines of "Doctor, Doctor, it hurts when I do that."

      "Well, don't do that, then."

  7. Sam · 572 days ago

    Someone just posted a solution to the external monitor problem on the following thread. You have delete plist files in your root directory library and your user directory library. Go to the thread for specific directions.
    https://discussions.apple.com/thread/4312536?star...

  8. Jack · 572 days ago

    I was wondering when others started seeing what I saw when I purchase a Power-PC with lots of goodies and it ran about 3 years and then no more software? I spent almost 4K to get a good Unix box and now it sits virtually idle because nobody supports it.

    If they keep on this road then PC's will come back with Linux type OS's since as one person pointed out, you can't find anything with the finder, just like Windows explorer. I'm waiting for some word about when the next major hardware jump will be made...

    Good Luck to all...

  9. Joyce Houghton · 521 days ago

    There are numerous bugs with 10.8.2 and no one seems to address it. I have a mac mini and when I first upgraded to ML from SL it worked fine and I was happy learning how it worked. Well as of the date 8/3/2012 it was making changes in my preferences that I wasn't even aware of. Then the first part of Nov. my time machine stopped backing up my data. After much playing around, turning it on and off it worked again. (so I thought anyhow) today 11/14/12 it again lost my back up disk. I've spent all morning or 5 hours researching this. I found that Time machine isn't even compatible with ML and lots of people are having problems with it, no fixes in site, because some one doesn't admit there's a problem! It all just came to my attention with the latest update to 10.8.2 but this must have been taking place with ML. What are we to do? and just where do we find answers?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog