MacNN Forums (
-   Mac News (
-   -   Apple details security fixes in OS X 10.8.5, Safari 5.1.10 (

NewsPoster Sep 12, 2013 11:39 PM
Apple details security fixes in OS X 10.8.5, Safari 5.1.10
In addition to the <a href=" ability.more/" rel='nofollow'>latest update</a> to OS X Mountain Lion (10.8.5), Apple on Thursday also updated Snow Leopard's <a href="" rel='nofollow'>Safari 5.1</a> for a flaw that fixes a potential security hole in JavaScript. The problem, identified by Certified Secure and Vitaliy Toropov working with HP's Zero Day Initiative, could lead to unexpected quits or arbitrary code execution in Safari when visiting a maliciously-crafted website. The company also issued <a href="" rel='nofollow'>security updates</a> for Snow Leopard (10.6) and Lion (10.7), with security fixes for Mountain Lion included in the 10.8.5 update.<br />
<br />
The Safari 5 bug was caused by "multiple memory corruption issues" existing in JavaScriptCore's "JSArray::sort()" method. The fix addresses the problem with additional bounds checking. The current version of Safari for Lion and Mountain Lion, v6.0.5, does not suffer the problem. Users running Safari 5 will see the update available in Software Update, and can also obtain the download through Apple's <a href="" rel='nofollow'>Support Downloads</a> page.<br />
<br />
Today's update to OS X 10.8 Mountain Lion addresses some security issues as well, which are also patched in Security Updates for users of Snow Leopard and Lion. The updates address multiple vulnerabilities in Apache, Bind, OpenSSL, PHP, PostgreSQL, and malware detector ClamAV. In addition, specific issues were fixed in CoreGraphics, ImageIO, Installer, IPSec, the OS X 10.8.x kernel, Mobile Device Management, the Certificate Trust Policy, Power Management, QuickTime, and Screen Lock.<br />
<br />
The problems in Apache, a built-in web server for hosting sites and pages, revolve around cross-site scripting and have been fixed by simply updating it to version 2.2.24 for all three OS X releases. The BIND issues affected only Lion and Mountain Lion, and again were resolved by updating BIND to v9.8.5-P1. ClamAV for 10.6.x and 10.7.x was updated to 0.97.8, OpenSSL was updated to v0.9.8y, PHP to version 5.3.26 and PostgreSQL to v9.0.13, fixing their various vulnerabilities.<br />
<br />
Apple also added to or removed some certificates from the list of system roots in all three OS versions, and fixed a buffer overflow bug in Mountain Lion's CoreGraphics and ImageIO discovered by a Google security researcher where a maliciously-crafted file could cause a crash or arbitrary code execution. A flaw in the Installer for Lion and Mountain Lion allowed packages to be opened even after a certificate revocation, and an issue in the Mountain Lion kernel that could cause a denial of service through an incorrect check in the IGMP packet was addressed after its discovery by Protectstar.<br />
<br />
Also exclusive to Mountain Lion was a bug in Power Management that prevented a screen saver from starting, and a vulnerability where a user with screen-sharing access could bypass the screen lock when another user logged in was as fixed after discovery by Jeff Grisso and Sebastien Stormacq. The 10.8.5 update also addresses an issue where certain Unicode strings could cause applications to fail unexpectedly -- a flaw <a href=" ut.annoying/" rel='nofollow'>discovered in August</a> by Alexander Traud.<br />
<br />
All three supported OS releases were vulnerable to a bug in IPSec where an attacker could conceivably intercept data supposedly protected by IPSec Hybrid Auth, while QuickTime for all three was updated to stop a bug found by iDefense VCP where a maliciously-crafted movie file could cause crashes or arbitrary code execution. Finally, Lion and Mountain Lion's Mobile Device Management features had a flaw where passwords could be disclosed to other local users, discovered by Per Olofsson at the University of Gothenburg. The issue was fixed by communicating the password through a pipe.<br />
<br />
The Mountain Lion update or Security Update 2013-004 can be obtained by using Software Update or downloaded directly from Apple's <a href="" rel='nofollow'>Support Downloads</a> page. The files may have different names depending on the version of the system being used: those on 10.8.4 will see a "delta" 10.8.5 update, those on 10.8 through 10.8.3 will be steered to the larger "combo" update, and Lion and Snow Leopard (and corresponding Server users) will see just a Security Update 2013-004.
jimoase Sep 13, 2013 06:40 AM
OSX stuttering is a bridge too far for 10.8.5 to fix.

Let the stuttering continue is the new OSX upgrade mantra.
Spheric Harlot Sep 13, 2013 07:00 AM
It's really odd:

All your posts except for two have concerned "stuttering" in OS X 10.8.

You never replied back to this:

It does not look like this is Apple's problem to fix, since hardly anybody else is having it.

This post here would seem to suggest that it's caused by SanDisk SSD's.
Charles Martin Sep 13, 2013 06:14 PM
Agreed with Spheric Harlot. Believe me, if "stuttering" or anything less than fast performance under OS X was normal, we'd have heard a lot about it from people other than just you. I'm certainly not seeing it, and I'm always very concerned about stuff like that.

The problem is either your machine or your practices. Either seek some serious help with the problem in the forums, or stop trolling.
seanpatterson Sep 14, 2013 01:04 AM
Can anyone please confirm whether Safari 5.1.10 has RSS built-in? Thanks!
All times are GMT -4. The time now is 01:19 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Content Relevant URLs by vBSEO 3.3.2