Apple patches 36 bugs in OS X, fixes encryption password goof
Updates Lion to 10.7.4, provides security-only fixes for Snow Leopard
Computerworld - Apple yesterday patched 36 vulnerabilities in Mac OS X, most of them critical, plugging a hole that revealed passwords used to encrypt folders with an older version of FileVault.
Both Mac OS X 10.7, aka Lion, and 10.6, better known as Snow Leopard, were updated with fixes. The two operating systems were last updated in February.
High on the fix list was one specific to Lion that put FileVault passwords in plain text, where they could easily be read -- and thus encrypted folders deciphered -- if a Mac was stolen or lost. The software consultant who publicly reported the bug attributed it to a programming error on Apple's part.
"The login process recorded sensitive information in the system log, where other users of the system could read it," Apple's advisory stated. Apple also acknowledged that the plain-text passwords may persist in the Mac's logs after users update to 10.7.4, and urged them to review a support document that walked through steps to eradicate any that are remaining.
Among the other patches were four Snow Leopard-only fixes quashing bugs that could be exploited via malicious image files; another four in QuickTime, Apple's media player and browser plug-in; and one in FileVault 2, the full-disk encryption technology used by Lion.
The FileVault 2 flaw caused some date to be left unencrypted when a Mac went into "sleep" mode.
Twenty-one of the 36 vulnerabilities were tagged with Apple's phrase of "arbitrary code execution," indicating that they were critical flaws that, if exploited by attackers, could result in a Mac malware infection.
Eight of the bugs affected only Snow Leopard.
On Lion, Apple also included a number of non-security fixes it categorized as stability and compatibility improvements. Many of them were related to connecting to network services, such as Microsoft's Active Directory and that company's Server Message Block (SMB) file-sharing protocol. Both are used by Macs in enterprises to access corporate resources held on servers running Windows.
Snow Leopard's update, dubbed "Security Update 201-002," received no feature improvements.
Yesterday's update may be the last for Snow Leopard, as Apple seems to be on the fast track for OS X 10.8, aka Mountain Lion, which may ship as soon as late June. Apple typically stops serving security updates to the oldest edition in its support rotation when it finalizes a major operating system upgrade.
Last year, OS X 10.5, or Leopard, received its final security update in late June, about a month before Apple launched Lion. Leopard's versions of iTunes, QuickTime and Java, however, were updated after June 2011.
As usual, some users reported problems with the update.
No one problem was dominant in those reports, but the MacBook Pro-not-booting thread was heavily trafficked, with more than 1,500 views since its inception Wednesday afternoon.
Mac OS X 10.7.4 and the separate 2012-002 security update for Snow Leopard can be downloaded from Apple's support site or installed using the operating system's built-in update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Apple sends users scrambling for OS X Yosemite
- Apple unwraps OS X Yosemite public beta Thursday
- OS X Snow Leopard desertion rate accelerates after patches stop
- What makes OS X Mavericks so special?
- Apple's WWDC set for June 10-14, hints at fall launch of next iPhone
- Mountain Lion mauls other OS X editions for top spot
- Apple consistently convinces customers to upgrade OS X
- Apple to kill Messages beta for OS X Lion next month
- OS X Mountain Lion's torrid upgrade pace cools
- Apple rolls out iOS 6, upgrades Mountain Lion
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Mac OS X White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!