Apple has published updates for all supported versions of OS X, namely Mountain Lion (10.8), Lion (10.7) and Snow Leopard (10.6).
The operating system part of this update fixes numerous holes in eleven distinct parts of OS X.
This includes patches for security vulnerabilities in components that are themselves responsible for security.
Affected components include Directory Services (remote code execution), OpenSSL (information disclosure) and SMB (information disclosure).
Version 6 of Apple’s Safari browser gets an update at the same time.
The executive summary of the Safari update notes merely that it “improves stability for some websites with chat features and games,” but the security summary is the important one.
Safari 6.0.5 deals with no fewer than 23 CVE-listed remote code execution vulnerabilities.
That’s the sort of bug that can lead to infection-just-by-browsing, where malicious software delivered into your browser manages to escape and execute outside your browser without stopping to ask for permission.
Additional patches to Safari 6.0.5 close off three cross-site scripting (XSS) vulnerabilities.
XSS is a problem because it can allow crooks to trick you into interacting with a malicious site by sucking dodgy content into the browser window of a legitimate site, effectively “borrowing” the genuine site’s trustworthiness.
Updates by version
Mountain Lion users get a full-on point update to OS X 10.8.4. This update includes the update to Safari 6.0.5.
Snow Leopard and Lion users get Security Update 2013-002.
Note that the 2013-002 update deals only with the non-Safari vulnerabilities, so Lion users need a separate update to get to Safari 6.0.5. (Snow Leopard is still stuck on Safari 5, which doesn’t get an update.)
If you simply let Apple’s Software Update do the work for you, you won’t have to worry about how to find the components of the update, though you’ll may never find out quite what the update was all about.
That’s OK, but for those of a more inquisitive disposition, here’s a guide to the relevant articles amongst Apple’s knowledgebase and download pages.
→ The second-listed Mountain Lion update below is what Apple calls a “Combo,” and allows you to upgrade from any 10.8 version directly to 10.8.4 without updating to each point release in between. The “Combo” update is useful to keep up your sleeve for fresh OS X installs, where you may emerge from the installation process with a fully functional but entirely unpatched system.
|If you have:||Size||KB page||Download page|
|Mountain Lion 10.8.3||342 MB||HT5784||DL1658|
|Mountain Lion (any)||801 MB||HT5784||DL1659|
|Snow Leopard 10.6.8||330 MB||HT5784||DL1660|
|Lion 10.7.5||58 MB||HT5784||DL1661|
|Lion Server||106 MB||HT5784||DL1662|
|Snow Leopard Server||405 MB||HT5784||DL1663|
I haven’t listed a download link for Safari 6.0.5 for the rather simple reason that I can’t find one.
Apple’s official product announcement says only that “for OS X Lion systems Safari 6.0.5 is available via the Apple Software Update application,” so I suggest you simply update that way.
10 comments on “Apple’s OS X and Safari get biggish security fixes”
Safari for Windows?
Safari for Windows is still at version 5, so (like the Snow Leopard version of Safari) it doesn't get an update.
Having said that, Safari 5 for Windows is way behind Safari 5 for Snow Leopard, anyway. It last had security fixes in 2012…IIRC it's some 12 updates behind the OS X version.
So I doubt it would have got an update even if Snow Leopard's version had.
I have to say you should probably avoid it.
FYI components is mis-spelled “conponents” in this para:
“If you simply let Apple’s Software Update do the work for you, you won’t have to worry about how to find the conponents of the update…”
Thanks. Fixed it.
That the Windows version of safari is so far out-of-date means it is possibly very unsafe and should be avoided. But, for those of us who develop applications, wikis, etc and need to be sure everything displays correctly on a range of common browsers we need to have IE, FF, Safari, Chrome, etc installed. So we are forced to be unsafe by Apple's dangerously slow updates on this platform. Not good at all!
It gives only a small amount of additional safety….but you could consider running your alternative browers in a virutal machine that you reset to a pre-test snapshot after each test.
Or you could simply say, "I'm not going to test in Safari for Windows because I'd rather my that my readers avoided it" 🙂
You could even do browser detection and tell them that with a static HTML page that you'd only need to test once. Consider actually saying, "We don't support Safari for Windows because we are unwilling to have it installed for testing, and we'd rather encourage you to switch browsers than let you see our page untested."
Maybe he's using S4W for a general test of his pages' compatibility with Safari, being unwilling to purchase an Apple computer for the purpose. (Depending on the complexity of the pages, that might be a reasonable compromise.)
If the only thing you are doing with Safari for Windows is testing your own web pages, there's no exposure.
Except for having the browser installed in the first place. (If it isn't there, you *know* you can't inadvertently connect to the wrong place with it…plus, your own pages may link to or include third-party content that you don't directly control.)
I run Mountain Lion 10.8.4 and the only update I saw today when I checked was for a RAW digital camera update. Should I be concerned?