Apple ships updates, including Snow Leopard (ONLY KIDDING!)‏

Filed Under: Apple, Apple Safari, Featured, iOS, OS X, Vulnerability

We're kidding about updates to Snow Leopard, of course, not about the updates in general.

Indeed, Apple has just pushed out its latest raft of improvements and fixes for iOS, Apple TV, Safari and OS X.

But Snow Leopard is conspicuous by its absence once again: OS X 10.6 doesn't have any operating system updates and isn't getting a Safari fix.

The updates that have come out are:

  • iOS 7.1.2
  • Apple TV 6.1.2
  • Safari 7.0.5
  • Security Update 2014-003 for OX 10.7 and 10.8
  • OS X Mavericks 10.9.4 (includes Safari 7.0.5)

As seems to be standard practice these days, Apple has rolled the Safari update into the point release for OS X 10.9 Mavericks.

If you have Lion (10.7) or Mountain Lion (10.8) you will receive two updates, one patching numerous security holes in the operating system and its components excluding Safari, and the other to deliver you the latest Safari.

Regular and frequent?

Just over a month ago (23 May 2014, in fact), I wondered if Safari updates were becoming more regular and more frequent, and I drew a little railway map to see if there was any obvious pattern emerging:


I was forced to admit that it was too early to tell, since the five-update run at the far right was matched by an equally impressive-looking run in 2012 that went off the rails in 2013.

I don't know whether to change my mind now I've added the latest Safari update to the picture:


But I do know that I'm still desperately hoping that Apple will start scheduling its large-scale updates more predicatably.

If Cupertino is able to push out updates approximately once a month, it seems reasonable to expect it could to do so precisely once a month, so that we could all plan in advance.

Although more and more Naked Security readers seem inclined to agree, there are still a few hold-outs who think not only that updates don't need to be monthly, but also that they are better off done in an unpredictable fashion.

Does regular mean better?

There seem to be three main arguments against Apple committing to monthly security fixes on known dates:

  1. Crooks will hold back new zero-days until just after an update, if they can be sure when the next one is coming out.
  2. Crooks work backwards from updates to uncover exploits they didn't yet know about, which is easier if the updates are predicatably scheduled.
  3. Apple's products simply don't need as many updates as competing vendors, so in many months there would no updates, or updates just for appearance.

To which I offer the answers, or at least the counter-questions:

  1. Why?
  2. Why?
  3. Oh, really?

I almost buy the argument about the risk of crooks holding back on deploying new zero-days until what you might call "Post-Patch Wednesday," on the grounds that it feels as though it ought to be true.

Except that no such pattern seems to have emerged on Windows, even after more than ten years of Patch Tuesdays.

After all, having a regular update cycle doesn't (and, indeed, ought not to) preclude a software vendor from having a process for emergency or so-called out-of-band fixes as well.

Anyway, Apple updates approximately once every month or two, so if the crooks really want to risk wasting a new zero-day by holding onto it until just after the next update, they can do so even if Apple doesn't follow the calendar predictably.

And I can see why it might be very, very slightly easier for the crooks to to reverse-engineer the latest patches (i.e. to work backwards from a fix to an exploit) if they knew that it was better to have hired hackers standing by on every second Wednesday in the month, say, than on any other day.

The same predictability that makes it easier for system adminstrators to patch 10,000 computers in 24 hours if they can plan ahead might, indeed, aid the cybercriminals too.

So I'll give you point two as a theoretical benefit to the Bad Guys, even though I'm not convinced it would make any measurable difference to their overall attack capabilities.

As for Apple not having enough security updates to fill a bag of patches every month, all I can say is that a month where there was genuinely nothing worth fixing would be a fantastic problem to have.

What's fixed this month?

These latest fixes cover at least 10 remote code execution (RCE) updates in Safari - the sort of bugs that can be exploited using web pages that deliver what are often referred to as "drive-by downloads" or "open-and-own" attacks.

There's also data leakage hole patched in Safari, and a patch for a bug that could allow crooks to take you to a dodgy site but show you a completely different website name in the address bar.

The browser on iOS gets even more love and attention, with close to 30 RCEs closed off, including two vulnerabilities going back to 2013.

There are also at least 19 vulnerabilities sorted out in OS X, including remote code execution and an elevation of privilege (EoP) exploit that could allow a regular program to acquire system-level powers.

As we have pointed out several times before, combining an RCE with an EoP can make an otherwise quite limited attack into something much more serious.

The most intriguing patch, however, is for a bug known as CVE-2014-1361, whereby the OS X Mavericks lock screen may occasionally fail to intercept the keyboard properly.

Attackers could therefore type text into application windows running behind the lock screen, although they would have to guess which windows were in what order, and what sort of input the software was waiting for.

This sounds more amusing than dangerous, until you stop to think that your usual action, on seeing the lock screen, is to type in your password followed by [Enter].

And that might not be quite what you want to do if the program under the lock screen is an instant messaging or social media app!

So, there are plenty of patches, and - you will surely be prepared to admit - more than enough to make it unlikely that a whole month could ever go by with no patches worth publishing, especially when iOS is still catching up with vulnerabilities discovered last year.

At the time of writing [2014-06-30T22:00Z], Apple still doesn't have the standalone versions of these patches ready for download, but they're there for the taking via Settings > General > Software Update on your iDevice, or Apple Menu > Software Update... on OS X.

Sophos Anti-Virus for Mac Home Edition - free download

, , , , , , , , ,

You might like

4 Responses to Apple ships updates, including Snow Leopard (ONLY KIDDING!)‏

  1. zeke motta · 462 days ago

    Hello Paul,

    just two questions:

    1) are extensions such as Disconnect, Adblock etc dangerous?

    2) when i use gmail and click on the Details I always read this (paraphrase)

    "this account does not seem to be open in other locations but not all sessions have been signed out"

    now: i always sign out. why does that happen???

    all the best

    • Paul Ducklin · 461 days ago

      1) Adblock is certainly popular amongst Naked Security readers, judging by our comments (and not just popular but actively recommended); Disconnect I have never used. Any other readers use it and care to weigh in?

      2) Not sure. I am not a Gmail user (feeding the Big G my searching habits is giving away enough information about me for one lifetime :-)...

      • zeke · 461 days ago

        Disconnect also makes a search extension that enables duckduck,.

        If you don't feed the big G then you are probably feeding a small B. :) I don't believe in innocence in the web. i don't really mind that they know my search habits. It is a very good email service and it is free. I just don't want to have the integrity of my browsers compromised by extensions.

        thanks, Paul.
        kind regards,

  2. zeke · 461 days ago

    Disconnect is excellent at blocking ads as well. & not only that. it does appear to speed up loading times as well. I do notice a big difference.

    best regards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog