The updates, which affect all supported versions of OS X–Mountain Lion (10.8), Lion (10.7) and Snow Leopard (10.6)–and closed several remote code execution flaws in the operating system and Safari, Apple said in its advisory posted yesterday. The patches also addressed issues in QuickTimes and the OS X implementation of OpenSSL and Ruby. The Ruby bugs are currently being exploited in the wild.
Multiple vulnerabilities have recently been identified in Ruby on Rails, the most serious of which can result in attackers remotely executing code on systems running Rails applications. Apple addressed eight distinct vulnerabilities by updating Ruby on Rails in OS X to version 2.3.18. This issue will likely impact OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier, Apple said.
OS X FixesApple fixed several remote code execution bugs in the operating system. Attackers could exploit one such flaw in the CoreAnimation component, where all the user has to do is browse to a maliciously crafted URL in order to get compromised. Another bug in he Playback component could be exploited with a maliciously crafted movie file, Apple said. There are four different patches for QuickTime fixing remote code execution flaws which could be exploited by maliciously crafted MP3, FPX, QTIF, and other movie files.
Another serious remote code execution bug was in the Directory Service component, but it affected only users with Snow Leopard systems who have enabled the service. Directory Service tracks all the user and group authentication information using various platforms, including Active Directory, LDAP, AppleTalk, and SMB file sharing. Apple replaced Diectory Service with Open Directory in Lion and Mountaion Lion.
Attackers could exploit the flaw by sending a maliciously crafted message over the network to to cause the directory server to crash or remotely execute code, Apple said.
OpenSSL, Safari IssuesApple fixed 13 issues in OpenSSL, one of which would allow attackers to launch the CRIME attack, where an attacker could decrypt SSL-protected sessions. The compression attack on TLS 1.0 was developed by security researchers Thai Duong and Juliano Rizzo.
The new Safari, version 6.0.5, fixed 23 distinct remote code execution vulnerabilities and three cross-site scripting flaws. The issues were all related to the WebKit engine that powers the browser.
"Multiple memory corruption issues existed in WebKit," Apple said in its advisory.
These issues expose Mac users to infection-by-browsing attacks, and the attackers would be able to execute code outside the browser and directly on the system without needing user authorization. Cross-site scripting bugs also allow attackers to create malicious sites containing elements from legitimate pages to trick users in to thinking these spoofed sites are trustworthy.
Get That UpdateUsers who use Apple's Software Update get the correct update automatically. Users who decide to do it manually will need to grab the OS X 10.8.4 update (which includes Safari 6.0.5) for Mountaion Lion and Security Update 2013-002 (which doesn't include the Safari update) for Snow Leopard and Lion systems. Please note that Snow Leopard doesn't get the new Safari version as it is still on Safari 5.
No comments:
Post a Comment