Alongside the release of OS X 10.9.4 Mavericks
for newer Macs, Apple has also releases security-oriented updates for OS X 10.7.x (Lion)
, the server version
of Lion, and for 10.8.x Mountain Lion
. The vulnerabilities patched for all three versions include an update to the certificate trust policy, a flaw in the "copyfile" command, and an issue with the Dock that could allow apps to circumvent the sandboxing restrictions. Numerous other discovered potential security vulnerabilities were also addressed.
Issues that were shared with both Mountain Lion and Mavericks up to 10.9.3 included a flaw in the graphics drivers system that allowed users to read the contents of kernel memory, as well as a validation issue regarding OpenGL by the Intel graphics driver. Similar issues were addressed with Intel Compute and the IO Accelerator Family. In addition, a flaw was discovered by an Adium researcher in the secure transport mechanism and addressed. Many of the issues fixed were uncovered by Ian Beer of Google Project Zero.
OS X 10.9.4, released on Monday, addressed any overlapping security issues covered in the Lion, Lion Server and Mountain Lion updates, as well as addressing a handful of new issues. Among the flaws fixed in 10.9.4 were a vulnerability in curl that could allow access to another user's session; an iBooks Commerce flaw that could conceivably have allowed an attacker with system access to read login credentials; bugs that could allow local users to bypass address space randomization in the IOGraphics Family; an IOReporting glitch that could cause a spontaneous restart; various flaws in launchd; a bug in Keychain that sometimes disallowed keystrokes, and a security issue in Thunderbolt.
Users can update their systems by launching Software Update, where they will see the appropriate security update available for their OS version. For Mavericks owners, updating to 10.9.4 includes all the patches to fix the issues present in 10.9.0-10.9.3. The updates are free for all users.