Apple's OS X and Safari get biggish security fixes

Filed Under: Apple, Apple Safari, Featured, Security threats, Vulnerability

Apple has published updates for all supported versions of OS X, namely Mountain Lion (10.8), Lion (10.7) and Snow Leopard (10.6).

The operating system part of this update fixes numerous holes in eleven distinct parts of OS X.

This includes patches for security vulnerabilities in components that are themselves responsible for security.

Affected components include Directory Services (remote code execution), OpenSSL (information disclosure) and SMB (information disclosure).

Version 6 of Apple's Safari browser gets an update at the same time.

The executive summary of the Safari update notes merely that it "improves stability for some websites with chat features and games," but the security summary is the important one.

Safari 6.0.5 deals with no fewer than 23 CVE-listed remote code execution vulnerabilities.

That's the sort of bug that can lead to infection-just-by-browsing, where malicious software delivered into your browser manages to escape and execute outside your browser without stopping to ask for permission.

Additional patches to Safari 6.0.5 close off three cross-site scripting (XSS) vulnerabilities.

XSS is a problem because it can allow crooks to trick you into interacting with a malicious site by sucking dodgy content into the browser window of a legitimate site, effectively "borrowing" the genuine site's trustworthiness.

Updates by version

Mountain Lion users get a full-on point update to OS X 10.8.4. This update includes the update to Safari 6.0.5.

Snow Leopard and Lion users get Security Update 2013-002.

Note that the 2013-002 update deals only with the non-Safari vulnerabilities, so Lion users need a separate update to get to Safari 6.0.5. (Snow Leopard is still stuck on Safari 5, which doesn't get an update.)

If you simply let Apple's Software Update do the work for you, you won't have to worry about how to find the components of the update, though you'll may never find out quite what the update was all about.

That's OK, but for those of a more inquisitive disposition, here's a guide to the relevant articles amongst Apple's knowledgebase and download pages.

→ The second-listed Mountain Lion update below is what Apple calls a "Combo," and allows you to upgrade from any 10.8 version directly to 10.8.4 without updating to each point release in between. The "Combo" update is useful to keep up your sleeve for fresh OS X installs, where you may emerge from the installation process with a fully functional but entirely unpatched system.

If you have: Size KB page Download page
Mountain Lion 10.8.3 342 MB HT5784 DL1658
Mountain Lion (any) 801 MB HT5784 DL1659
Snow Leopard 10.6.8 330 MB HT5784 DL1660
Lion 10.7.5 58 MB HT5784 DL1661
Lion Server 106 MB HT5784 DL1662
Snow Leopard Server 405 MB HT5784 DL1663
Safari 6 ??? HT5785 ???

I haven't listed a download link for Safari 6.0.5 for the rather simple reason that I can't find one.

Apple's official product announcement says only that "for OS X Lion systems Safari 6.0.5 is available via the Apple Software Update application," so I suggest you simply update that way.

, , , , , , , , ,

You might like

10 Responses to Apple's OS X and Safari get biggish security fixes

  1. po8crg · 853 days ago

    Safari for Windows?

    • Paul Ducklin · 853 days ago

      Safari for Windows is still at version 5, so (like the Snow Leopard version of Safari) it doesn't get an update.

      Having said that, Safari 5 for Windows is way behind Safari 5 for Snow Leopard, anyway. It last had security fixes in 2012...IIRC it's some 12 updates behind the OS X version.

      So I doubt it would have got an update even if Snow Leopard's version had.

      I have to say you should probably avoid it.

  2. sean · 852 days ago

    FYI components is mis-spelled "conponents" in this para:

    "If you simply let Apple's Software Update do the work for you, you won't have to worry about how to find the conponents of the update..."

  3. MikeP_UK · 852 days ago

    That the Windows version of safari is so far out-of-date means it is possibly very unsafe and should be avoided. But, for those of us who develop applications, wikis, etc and need to be sure everything displays correctly on a range of common browsers we need to have IE, FF, Safari, Chrome, etc installed. So we are forced to be unsafe by Apple's dangerously slow updates on this platform. Not good at all!

    • Paul Ducklin · 852 days ago

      It gives only a small amount of additional safety....but you could consider running your alternative browers in a virutal machine that you reset to a pre-test snapshot after each test.

      Or you could simply say, "I'm not going to test in Safari for Windows because I'd rather my that my readers avoided it" :-)

      You could even do browser detection and tell them that with a static HTML page that you'd only need to test once. Consider actually saying, "We don't support Safari for Windows because we are unwilling to have it installed for testing, and we'd rather encourage you to switch browsers than let you see our page untested."

      • njorl · 851 days ago

        Maybe he's using S4W for a general test of his pages' compatibility with Safari, being unwilling to purchase an Apple computer for the purpose. (Depending on the complexity of the pages, that might be a reasonable compromise.)

    • Laurence Marks · 852 days ago

      If the only thing you are doing with Safari for Windows is testing your own web pages, there's no exposure.

      • Paul Ducklin · 852 days ago

        Except for having the browser installed in the first place. (If it isn't there, you *know* you can't inadvertently connect to the wrong place with, your own pages may link to or include third-party content that you don't directly control.)

  4. aitchjayem · 851 days ago

    I run Mountain Lion 10.8.4 and the only update I saw today when I checked was for a RAW digital camera update. Should I be concerned?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog