Apple patches 36 bugs in OS X, fixes encryption password goof
Updates Lion to 10.7.4, provides security-only fixes for Snow Leopard
Computerworld - Apple yesterday patched 36 vulnerabilities in Mac OS X, most of them critical, plugging a hole that revealed passwords used to encrypt folders with an older version of FileVault.
Both Mac OS X 10.7, aka Lion, and 10.6, better known as Snow Leopard, were updated with fixes. The two operating systems were last updated in February.
High on the fix list was one specific to Lion that put FileVault passwords in plain text, where they could easily be read -- and thus encrypted folders deciphered -- if a Mac was stolen or lost. The software consultant who publicly reported the bug attributed it to a programming error on Apple's part.
"The login process recorded sensitive information in the system log, where other users of the system could read it," Apple's advisory stated. Apple also acknowledged that the plain-text passwords may persist in the Mac's logs after users update to 10.7.4, and urged them to review a support document that walked through steps to eradicate any that are remaining.
Among the other patches were four Snow Leopard-only fixes quashing bugs that could be exploited via malicious image files; another four in QuickTime, Apple's media player and browser plug-in; and one in FileVault 2, the full-disk encryption technology used by Lion.
The FileVault 2 flaw caused some date to be left unencrypted when a Mac went into "sleep" mode.
Twenty-one of the 36 vulnerabilities were tagged with Apple's phrase of "arbitrary code execution," indicating that they were critical flaws that, if exploited by attackers, could result in a Mac malware infection.
Eight of the bugs affected only Snow Leopard.
On Lion, Apple also included a number of non-security fixes it categorized as stability and compatibility improvements. Many of them were related to connecting to network services, such as Microsoft's Active Directory and that company's Server Message Block (SMB) file-sharing protocol. Both are used by Macs in enterprises to access corporate resources held on servers running Windows.
Snow Leopard's update, dubbed "Security Update 201-002," received no feature improvements.
Yesterday's update may be the last for Snow Leopard, as Apple seems to be on the fast track for OS X 10.8, aka Mountain Lion, which may ship as soon as late June. Apple typically stops serving security updates to the oldest edition in its support rotation when it finalizes a major operating system upgrade.
Last year, OS X 10.5, or Leopard, received its final security update in late June, about a month before Apple launched Lion. Leopard's versions of iTunes, QuickTime and Java, however, were updated after June 2011.
As usual, some users reported problems with the update.
No one problem was dominant in those reports, but the MacBook Pro-not-booting thread was heavily trafficked, with more than 1,500 views since its inception Wednesday afternoon.
Mac OS X 10.7.4 and the separate 2012-002 security update for Snow Leopard can be downloaded from Apple's support site or installed using the operating system's built-in update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Apple sends users scrambling for OS X Yosemite
- Apple unwraps OS X Yosemite public beta Thursday
- OS X Snow Leopard desertion rate accelerates after patches stop
- What makes OS X Mavericks so special?
- Apple's WWDC set for June 10-14, hints at fall launch of next iPhone
- Mountain Lion mauls other OS X editions for top spot
- Apple consistently convinces customers to upgrade OS X
- Apple to kill Messages beta for OS X Lion next month
- OS X Mountain Lion's torrid upgrade pace cools
- Apple rolls out iOS 6, upgrades Mountain Lion
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Advanced Attacks Demand New Defenses Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss....
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Mac OS X White Papers | Webcasts