Apple Mountain Lion 10.8.2 – lots of bug fixes, no known vices

Together with the much-vaunted launch of the iPhone 5 last week came Apple’s public release of its latest mobile operating system upgrade, iOS 6.

Not quite as widely-hyped as iOS 6 was another system update that Apple released at the same time: OS X 10.8.2, the second major update to the Mountain Lion product.

With a couple of working days plus a weekend under its belt, OS X Mountain Lion 10.8.2 – and its sibling upgrades, Lion’s 10.7.5 and Snow Leopard’s Security Update 2012-004 – don’t seem to have caused early adopters any major problems.

In short, it looks like a case of “no known vices.”

And that raises the question, “Should I stay or should I go?”

I’d suggest, “Go!”

These latest OS X upgrades include 27 separately-documented fixes (not all of them apply to all OS X versions); overall, 95 different CVEs are dispatched, with 12 of the vulnerabilities annotated with the dreaded words “may lead to arbitrary code execution”.

Here they are, coalesced into a single table:

Component OS Vulnerability CVEs fixed
Apache SLM DoS 6
BIND LM DoS, Data leakage 2
Apple CoreText L RCE 1
Apple DirectoryService S RCE 1
Apple ImageIO SL RCE 3
Apple Installer L Data leakage 1
OS X Kernel L Sandbox bypass 1
Apple LoginWindow M Password leakage 1
Apple Mail SL Security bypass 1
Apple Mobile Accounts M Password leakage 1
PHP libpng SL RCE 1
Apple Profile Manager L Authentication bypass 1
Apple QuickLook SL RCE 1
Apple QuickTime SL RCE 3
Ruby OpenSSL SL Crypto bypass (SSL/TLS) 1
Apple Safari LM Data leakage 3
TrustWave CA SLM User credential leakage n/a
Apple Unicode support SL RCE 1
OS X USB support L RCE 1
Apple WebKit LM RCE 58

* The initials S, L and M denote that the vulnerability affects Snow Leopard, Lion and Mountain Lion respectively.

* DoS stands for Denial of Service.

* RCE stands for Remote Code Execution.

As often happens with simultaneous upgrades to three different core versions of OS X, there isn’t a one-size-fits-all download you can apply.

Mountain Lion users move to 10.8.2, which includes an update from Safari 6.0 to 6.0.1.

The Safari update is critical, as it fixes data leakage vulnerabilities in the browser front-end, as well as potential remote code execution holes in WebKit, OS X’s core HTML rendering technology.

Lion users also get a new point release, going to 10.7.5, but don’t get Safari 6.0.1 bundled in with it. That’s a separate update, predictably called Safari 6.0.1.

On Snow Leopard, the security fixes don’t change the OS version. You need Security Update 2012-004. There’s no update to Safari or WebKit – Snow Leopard users stay at Safari 5.1.7.

Apple also published an iPhoto update at the same time: if you’re on Mountain Lion, as I am, you’ll find you have to go to 10.8.2 before you can get the “performance and stability improvements” promised by upgrading iPhoto.

By the way, the new version of OS X Mountain Lion was a 366MByte download; iPhoto on its own clocked in at 373MBytes.

I suspect Apple is trying to tell me something there – I just haven’t worked out what it is yet.