Apple ships OS X 10.8.3 - 11 remote code execution vulns patched, Snow Leopard and Lion get fixes too

Filed Under: Apple Safari, Featured, Java, OS X, Vulnerability

Apple has shipped the latest point release of its flagship Mountain Lion operating system.

This brings current-version Mac users to OS X 10.8.3.

You can upgrade in three ways:

  • Let Apple's own Software Update from the Apple menu take care of it via the App Store.
  • Download a standlone updater (541MByte) to take you from 10.8.2 to 10.8.3
  • Download the Combo updater (794MByte) to take you from any earlier OS X 10.8 flavour to 10.8.3

Unless you have a bandwidth-related reason not to go for the biggest download, I recommend you go for the Combo updater.

It's worth having around even if you only have one Mac, in case you need or want to reinstall Mountain Lion.

With the most recent Combo updater handy, you can install plain old OS X 10.8 and then leap in one bound to the latest point release.

What's new?

Apple, as usual, links to its regular landing page for security updates, knowledgebase article HT1222.

But that page, as usual, is lagging behind the actual update situation, with the most recent entry (as at 2013-03-15T20:40UTC+11) being Apple's Java security fix from 04 March 2013.

→ If anyone at Apple is reading this, please beg your product managers to reorganise their update workflow so that the security notifications go live at the same time as, or before, the actual updates are published. After all, you invite your users to visit HT1222 from the start; I suggest that it'll be much easier to persuade people to be early adopters if you have all your informational ducks in a row from the start.

Having said that, the version-specific security update page is live, and can be found at knowledgebase article HT5672.

On security grounds alone, the update sounds well worth applying quickly.

There are fixes for 21 CVE-listed vulnerabilities, 11 of which are documented as offering remote attackers the potential for arbitrary code execution.

There are also various fixes for problems relating to data leakage or incorrect authentication (which invariably leads to data leakage because it permits users to see things they shouldn't).

The most interesting bug-fix, however, is CVE-2013-0967, whereby "visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled."

It'll be something of a surprise for anyone who was relying on Apple's new-found strictness against Java to find that turning Java off in your browser didn't necessarily have the desired effect!

Since running Java applets exposes you to a whole additional raft of possible security holes, this fix reinforces my suggestion above that this is an update worth applying as soon as you can.

Another noteworthy update is that the amusing (if unfunny) "fIle colon slash slash slash" bug is now a thing of the past.

That was a flaw in Apple's background data recognition software, which aims to auto-highlight text such as URLs displayed by applications such as word processors, text editors, browsers and email clients.

If you typed "file colon slash slash slash" (which denotes a local URL, i.e. a file or directory on your computer) then you'd be OK.

But if you mixed the case in the word "file", for example as "FiLE", OS X would fail an overly-strict internal error check and the affected application would almost immediately crash.

Irritating, for sure. But not very severe, and in any case now a bug of the past.

Safari gets bumped up to version 6.0.3, just in case you hadn't already fetched that as a standalone update.

And Windows 8 can now much more easily be installed alongside OS X, thanks to an upgraded version of Boot Camp.

Lastly, if you have one of the newfangled Retina MacBook Pro laptops, the Mac-oriented website Macobserver.com claims that 10.8.3 will squeeze 20 minutes more out of your Mac's battery than 10.8.2 did.

That's about it.

As an early adopter, I grabbed the Combo update as soon as I could and applied it.

I haven't had any trouble...yet, so I'll give you a cautious "thumbs up" to go ahead right away.

If you're an early adopter too, and you've grabbed 10.8.3 already, please let us know in the comments how you got along.

Your observations will help those who are still nervous of large-sounding point updates to make up their minds...

NB. The Snow Leopard (10.6.8) and Lion (10.7.5) updates aren't full-on point updates. They're designated Security Update 2013-001 instead, and include all the 10.8.3 security fixes mentioned above. Like all updates explicitly labeled "security update", they're implicitly recommended for immediate deployment.

, , , , , , , ,

You might like

7 Responses to Apple ships OS X 10.8.3 - 11 remote code execution vulns patched, Snow Leopard and Lion get fixes too

  1. zeuszeus · 594 days ago

    HI, Paul
    It seems you gave the same link for standlone updater and the combo !
    best regards

    • Paul Ducklin · 594 days ago

      Ooops! Thanks for spotting this. I've fixed it.

      Small chart:

      DL1640 = OS X 10.8.3 Combo Updater
      DL1641 = OS X updater to go from 10.8.2 -> 10.8.3
      DL1642 = Snow Leopard Security Update 2013-001
      DL1643 = Lion Security Update 2013-001

  2. Leo · 594 days ago

    Well it appears I can no longer use my iPhoto library or its folders as screen savers, only somebody else's junk. This is a serious step backward as I derive(d) great pleasure in viewing my 4000 old snapshots. I hope there is a remedy...

  3. Nigel · 592 days ago

    "NB. The Snow Leopard (10.8.6) and Lion (10.8.7) updates aren't full-on point updates..."

    Dyslexic system version numbers there. Should be "10.6.8" and "10.7.8". The links are correct, though.

    In case it matters.

  4. JPH · 591 days ago

    Upgraded before supper via the App Store, restarted and found absolutely nothing worked at all, no programs, no system, no wi-fi, no nothing. Have shut the machine down, and am hoping that a restart from scratch will bring things back up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog