Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Apple issues security update for Snow Leopard, Lion, Server versions

Apple issues security update for Snow Leopard, Lion, Server versions
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jun 4, 2013, 08:06 PM
As expected, Apple has issued Security Update 2013-002 for older versions of OS X that are limited to the security-oriented changes present in the latest Mountain Lion update, v10.8.4, which was issued earlier today. Updates for Snow Leopard (10.6), the OS X Server version of Snow Leopard, the OS X Server version of Lion (10.7) and the client version of Lion are all now available through Software Update or Apple's own Support Downloads page. Issues were found and patched for OpenSSL, QuickTime, Ruby and SMB among other areas.

Among the issues addressed was an issue with CoreMedia Playback that affected Lion and Lion Server where a maliciously-crafted movie file could have led to a crash or arbitrary code execution due to an uninitialized memory access issue in the handling of text tracks. Directory Service in Snow Leopard (Client and Server) was patched to remove an issue in the program's handling of message from the network. OpenSSL across all three supported OS releases (10.6, 10.7 and 10.8) was updated to version 0.9.8x to close a host of potential problems, and compression was disabled due to the discovery of a method by which an attacker could decrypt data protected by SSL through TLS 1.0 when it was compressed.

QuickTime was corrected to solve a buffer overflow error in the handling of "enof" atoms as well as addressing a memory corruption issue in the handling of QTIF files. The buffer overflow issue was discovered by Microsoft employees working with HP's Zero Day security initiative, while the QTIF issue was found by "roob" working with iDefense VCP. Tobias Klein of the Zero Day Initiative also found a buffer overflow error in QuickDraw Manager related to the handling of PICT images that could have lead to crashes or arbitrary code execution in Lion or Mountain Lion, while G. Geshev working with HP's Zero Day Initiative found a buffer overflow problem in QuickTime related to FPX files that has also now been corrected.

Two open-source components, Ruby and SMB, have also had fixes implemented. Ruby has been updated to version 2.3.18 for OS X 10.6 and later to close a number of vulnerabilities, including a serious issue that could have lead to arbitrary code execution across systems running Ruby on Rails applications. The SMB found on Lion and Mountain Lion was discovered to allow users to write files outside the shared directory if SMB sharing was turned on, and thus the issue was corrected. The SMB report came from researcher Ward van Wanrooij.

The update for Snow Leopard (Client) is 329.85MB in size, with the Server version being 404.83MB (updates through Software Update, which are tailored for different models, may reflect slightly different sizes). The Lion update is 57.69MB large and requires 10.7.5, the last version of Lion available, while the Server version weighs in at 105.61MB. The Snow Leopard updates require 10.6.8.
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Privacy Policy
All times are GMT -4. The time now is 05:40 PM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2