Apple patches 36 bugs in OS X, fixes encryption password goof
Updates Lion to 10.7.4, provides security-only fixes for Snow Leopard
Computerworld - Apple yesterday patched 36 vulnerabilities in Mac OS X, most of them critical, plugging a hole that revealed passwords used to encrypt folders with an older version of FileVault.
Both Mac OS X 10.7, aka Lion, and 10.6, better known as Snow Leopard, were updated with fixes. The two operating systems were last updated in February.
High on the fix list was one specific to Lion that put FileVault passwords in plain text, where they could easily be read -- and thus encrypted folders deciphered -- if a Mac was stolen or lost. The software consultant who publicly reported the bug attributed it to a programming error on Apple's part.
"The login process recorded sensitive information in the system log, where other users of the system could read it," Apple's advisory stated. Apple also acknowledged that the plain-text passwords may persist in the Mac's logs after users update to 10.7.4, and urged them to review a support document that walked through steps to eradicate any that are remaining.
Among the other patches were four Snow Leopard-only fixes quashing bugs that could be exploited via malicious image files; another four in QuickTime, Apple's media player and browser plug-in; and one in FileVault 2, the full-disk encryption technology used by Lion.
The FileVault 2 flaw caused some date to be left unencrypted when a Mac went into "sleep" mode.
Twenty-one of the 36 vulnerabilities were tagged with Apple's phrase of "arbitrary code execution," indicating that they were critical flaws that, if exploited by attackers, could result in a Mac malware infection.
Eight of the bugs affected only Snow Leopard.
On Lion, Apple also included a number of non-security fixes it categorized as stability and compatibility improvements. Many of them were related to connecting to network services, such as Microsoft's Active Directory and that company's Server Message Block (SMB) file-sharing protocol. Both are used by Macs in enterprises to access corporate resources held on servers running Windows.
Snow Leopard's update, dubbed "Security Update 201-002," received no feature improvements.
Yesterday's update may be the last for Snow Leopard, as Apple seems to be on the fast track for OS X 10.8, aka Mountain Lion, which may ship as soon as late June. Apple typically stops serving security updates to the oldest edition in its support rotation when it finalizes a major operating system upgrade.
Last year, OS X 10.5, or Leopard, received its final security update in late June, about a month before Apple launched Lion. Leopard's versions of iTunes, QuickTime and Java, however, were updated after June 2011.
As usual, some users reported problems with the update.
No one problem was dominant in those reports, but the MacBook Pro-not-booting thread was heavily trafficked, with more than 1,500 views since its inception Wednesday afternoon.
Mac OS X 10.7.4 and the separate 2012-002 security update for Snow Leopard can be downloaded from Apple's support site or installed using the operating system's built-in update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- New Yosemite dev preview may herald public beta update later this week
- Google ships 64-bit Chrome for OS X
- Apple sends users scrambling for OS X Yosemite
- Apple unwraps OS X Yosemite public beta Thursday
- OS X Snow Leopard desertion rate accelerates after patches stop
- What makes OS X Mavericks so special?
- Apple's WWDC set for June 10-14, hints at fall launch of next iPhone
- Mountain Lion mauls other OS X editions for top spot
- Apple consistently convinces customers to upgrade OS X
- Apple to kill Messages beta for OS X Lion next month
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- Capabilities You Need in an IP Address Management Solution A mismanaged IP space can cripple an otherwise healthy network. Take a moment to understand what you need in an enterprise-ready IPAM solution.
- IPv6 Fundamentals IPv6 is needed to sustain the growth of the Internet. The transition from IPv4 will require planning and likely some degree of support...
- Optimize IT Performance & Availability: Four Steps to Establish Effective IT Management Baselines More than ever before, your company's ability to grow hinges on IT performance and availability. Download this how-to report on establishing IT baselines,...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All Mac OS X White Papers | Webcasts