Together with the much-vaunted launch of the iPhone 5 last week came Apple’s public release of its latest mobile operating system upgrade, iOS 6.
Not quite as widely-hyped as iOS 6 was another system update that Apple released at the same time: OS X 10.8.2, the second major update to the Mountain Lion product.
With a couple of working days plus a weekend under its belt, OS X Mountain Lion 10.8.2 – and its sibling upgrades, Lion’s 10.7.5 and Snow Leopard’s Security Update 2012-004 – don’t seem to have caused early adopters any major problems.
In short, it looks like a case of “no known vices.”
And that raises the question, “Should I stay or should I go?”
I’d suggest, “Go!”
These latest OS X upgrades include 27 separately-documented fixes (not all of them apply to all OS X versions); overall, 95 different CVEs are dispatched, with 12 of the vulnerabilities annotated with the dreaded words “may lead to arbitrary code execution”.
Here they are, coalesced into a single table:
|BIND||LM||DoS, Data leakage||2|
|Apple Installer||L||Data leakage||1|
|OS X Kernel||L||Sandbox bypass||1|
|Apple LoginWindow||M||Password leakage||1|
|Apple Mail||SL||Security bypass||1|
|Apple Mobile Accounts||M||Password leakage||1|
|Apple Profile Manager||L||Authentication bypass||1|
|Ruby OpenSSL||SL||Crypto bypass (SSL/TLS)||1|
|Apple Safari||LM||Data leakage||3|
|TrustWave CA||SLM||User credential leakage||n/a|
|Apple Unicode support||SL||RCE||1|
|OS X USB support||L||RCE||1|
* The initials S, L and M denote that the vulnerability affects Snow Leopard, Lion and Mountain Lion respectively.
* DoS stands for Denial of Service.
* RCE stands for Remote Code Execution.
As often happens with simultaneous upgrades to three different core versions of OS X, there isn’t a one-size-fits-all download you can apply.
Mountain Lion users move to 10.8.2, which includes an update from Safari 6.0 to 6.0.1.
The Safari update is critical, as it fixes data leakage vulnerabilities in the browser front-end, as well as potential remote code execution holes in WebKit, OS X’s core HTML rendering technology.
On Snow Leopard, the security fixes don’t change the OS version. You need Security Update 2012-004. There’s no update to Safari or WebKit – Snow Leopard users stay at Safari 5.1.7.
Apple also published an iPhoto update at the same time: if you’re on Mountain Lion, as I am, you’ll find you have to go to 10.8.2 before you can get the “performance and stability improvements” promised by upgrading iPhoto.
By the way, the new version of OS X Mountain Lion was a 366MByte download; iPhoto on its own clocked in at 373MBytes.
I suspect Apple is trying to tell me something there – I just haven’t worked out what it is yet.