Apple ships OS X 10.8.3 – 11 remote code execution vulns patched, Snow Leopard and Lion get fixes too

Apple has shipped the latest point release of its flagship Mountain Lion operating system.

This brings current-version Mac users to OS X 10.8.3.

You can upgrade in three ways:

  • Let Apple’s own Software Update from the Apple menu take care of it via the App Store.
  • Download a standlone updater (541MByte) to take you from 10.8.2 to 10.8.3
  • Download the Combo updater (794MByte) to take you from any earlier OS X 10.8 flavour to 10.8.3

Unless you have a bandwidth-related reason not to go for the biggest download, I recommend you go for the Combo updater.

It’s worth having around even if you only have one Mac, in case you need or want to reinstall Mountain Lion.

With the most recent Combo updater handy, you can install plain old OS X 10.8 and then leap in one bound to the latest point release.

What’s new?

Apple, as usual, links to its regular landing page for security updates, knowledgebase article HT1222.

But that page, as usual, is lagging behind the actual update situation, with the most recent entry (as at 2013-03-15T20:40UTC+11) being Apple’s Java security fix from 04 March 2013.

→ If anyone at Apple is reading this, please beg your product managers to reorganise their update workflow so that the security notifications go live at the same time as, or before, the actual updates are published. After all, you invite your users to visit HT1222 from the start; I suggest that it’ll be much easier to persuade people to be early adopters if you have all your informational ducks in a row from the start.

Having said that, the version-specific security update page is live, and can be found at knowledgebase article HT5672.

On security grounds alone, the update sounds well worth applying quickly.

There are fixes for 21 CVE-listed vulnerabilities, 11 of which are documented as offering remote attackers the potential for arbitrary code execution.

There are also various fixes for problems relating to data leakage or incorrect authentication (which invariably leads to data leakage because it permits users to see things they shouldn’t).

The most interesting bug-fix, however, is CVE-2013-0967, whereby “visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled.”

It’ll be something of a surprise for anyone who was relying on Apple’s new-found strictness against Java to find that turning Java off in your browser didn’t necessarily have the desired effect!

Since running Java applets exposes you to a whole additional raft of possible security holes, this fix reinforces my suggestion above that this is an update worth applying as soon as you can.

Another noteworthy update is that the amusing (if unfunny) “fIle colon slash slash slash” bug is now a thing of the past.

That was a flaw in Apple’s background data recognition software, which aims to auto-highlight text such as URLs displayed by applications such as word processors, text editors, browsers and email clients.

If you typed “file colon slash slash slash” (which denotes a local URL, i.e. a file or directory on your computer) then you’d be OK.

But if you mixed the case in the word “file”, for example as “FiLE”, OS X would fail an overly-strict internal error check and the affected application would almost immediately crash.

Irritating, for sure. But not very severe, and in any case now a bug of the past.

Safari gets bumped up to version 6.0.3, just in case you hadn’t already fetched that as a standalone update.

And Windows 8 can now much more easily be installed alongside OS X, thanks to an upgraded version of Boot Camp.

Lastly, if you have one of the newfangled Retina MacBook Pro laptops, the Mac-oriented website claims that 10.8.3 will squeeze 20 minutes more out of your Mac’s battery than 10.8.2 did.

That’s about it.

As an early adopter, I grabbed the Combo update as soon as I could and applied it.

I haven’t had any trouble…yet, so I’ll give you a cautious “thumbs up” to go ahead right away.

If you’re an early adopter too, and you’ve grabbed 10.8.3 already, please let us know in the comments how you got along.

Your observations will help those who are still nervous of large-sounding point updates to make up their minds…

NB. The Snow Leopard (10.6.8) and Lion (10.7.5) updates aren’t full-on point updates. They’re designated Security Update 2013-001 instead, and include all the 10.8.3 security fixes mentioned above. Like all updates explicitly labeled “security update”, they’re implicitly recommended for immediate deployment.