Sophos Cloud Optix
Apple’s latest large-scale OS X security updates are out.
If you’re a Snow Leopard (OS X 10.6) user, you’ll need the 200Mbyte Security Update 2012-001, which requires you to be at the latest point release of that version first.
(That’s 10.6.8, which came out back in June 2011. You updated to 10.6.8 long ago, did you not?)
If you’re using Lion (OS X 10.7), you get 700MBytes to 1.4Gbytes (depending on what sub-version of 10.7 you are currenly using) of full-blown new point release, which takes you to 10.7.3.
A reboot is required on both Snow Leopard and Lion.
Apple’s description of the security issues fixed in these updates can be found in Support Article HT5130.
This sounds like the sort of update you would ignore at your peril.
It includes 39 fixes, addressing 52 different Common Vulnerabilities and Exposures (CVE) issues (plus one problem – various dodgy SSL certificates – not covered by a CVE identifier).
19 of the fixes are for problems listed with an impact of arbitrary code execution. That’s vulnerability-speak for “could perhaps be used by a cybercrook for a drive-by infection.” These now-patched exploitable vulnerabilities involved a wide range of file types.
In most cases, simply using a data file could have been enough to expose you to the vulnerability, for example: previewing a font, listening to an audio file, watching a video, viewing an image, or reading a PDF document.
Since data files aren’t supposed to contain executable code – or, if they do, that code is supposed to be just-so-much harmless data – we quite reasonably treat images, podcasts, videos and so forth as implicitly safe for Macs and PCs.
So cybercrooks adore remote code execution vulnerabilities which let them sneak program code onto your computer under perfectly innocent-looking cover. The crooks are willing to pay good money for data-borne exploits; you need to be willing to patch the underlying vulnerabilities as soon as you can.
Over to you. Click on the Apple menu, choose Software Update…, and take it from there!
–
Downloaded it and my system is up to date. How about everyone else out there?
I'm getting there, downloading now. Better sooner than later.
that's a big update!
thanks
Still trying to understand how data you read as data ever gets to a part of the process that would even try to interpret it as executable code. Anyone care to educate me?
In practice, it's kinda complex to get right…but here it is in theory 🙂
Imagine you can create a malformed data file for application X which crashes X because of vulnerability Y.
Now imagine that you can work out how to orchestrate/tweak/aim the crash so that the code path taken by the CPU wanders into (or is controlled by) the malformed data area. Remember that the malformed data is entirely under your control.
Further, remember that the malformed data entirely under your control may be deliverable under innocent-looking cover, via a web page from an otherwise-innocent outside source (e.g. as an embedded font, a PDF, a PNG, a podcast, or a video).
If you can do all of that, you have found remote code execution exploit Z against vulnerability Y in application X.
You can now sell Z to the highest bidder, if your conscience will permit you.
DON’T DO IT if you’re still using Quicken 2007!!! The security update hoses it. Although I was able to open Quicken, I am no longer able to import downloaded transactions or export to use in another program (I heard this was happening from someone on VMWare’s forums) without Quicken crashing. This update apparently got rid of Rosetta, required for many legacy programs to run. I guess Intuit’s Spring release of a patch so Q2007 would run on Lion just wasn’t fast enough for Apple’s tastes. Thank goodness I hadn’t done the security update on my laptop yet, so I can run Quicken there, but I don’ like to keep financial info on my laptop.
After Apple’s 7.6 update for Airport that hosed people’s internet connections (so they had to downgrade their update) (including mine), and now this, you can bet I’m going to hold off before letting Apple update my software again. It’s either negligence or arrogance, or maybe both, that cause this to do this to their customers.
Uninstalling and reinstalling Quicken does nothing to help.