Apple patches 36 bugs in OS X, fixes encryption password goof
Updates Lion to 10.7.4, provides security-only fixes for Snow Leopard
Computerworld - Apple yesterday patched 36 vulnerabilities in Mac OS X, most of them critical, plugging a hole that revealed passwords used to encrypt folders with an older version of FileVault.
Both Mac OS X 10.7, aka Lion, and 10.6, better known as Snow Leopard, were updated with fixes. The two operating systems were last updated in February.
High on the fix list was one specific to Lion that put FileVault passwords in plain text, where they could easily be read -- and thus encrypted folders deciphered -- if a Mac was stolen or lost. The software consultant who publicly reported the bug attributed it to a programming error on Apple's part.
"The login process recorded sensitive information in the system log, where other users of the system could read it," Apple's advisory stated. Apple also acknowledged that the plain-text passwords may persist in the Mac's logs after users update to 10.7.4, and urged them to review a support document that walked through steps to eradicate any that are remaining.
Among the other patches were four Snow Leopard-only fixes quashing bugs that could be exploited via malicious image files; another four in QuickTime, Apple's media player and browser plug-in; and one in FileVault 2, the full-disk encryption technology used by Lion.
The FileVault 2 flaw caused some date to be left unencrypted when a Mac went into "sleep" mode.
Twenty-one of the 36 vulnerabilities were tagged with Apple's phrase of "arbitrary code execution," indicating that they were critical flaws that, if exploited by attackers, could result in a Mac malware infection.
Eight of the bugs affected only Snow Leopard.
On Lion, Apple also included a number of non-security fixes it categorized as stability and compatibility improvements. Many of them were related to connecting to network services, such as Microsoft's Active Directory and that company's Server Message Block (SMB) file-sharing protocol. Both are used by Macs in enterprises to access corporate resources held on servers running Windows.
Snow Leopard's update, dubbed "Security Update 201-002," received no feature improvements.
Yesterday's update may be the last for Snow Leopard, as Apple seems to be on the fast track for OS X 10.8, aka Mountain Lion, which may ship as soon as late June. Apple typically stops serving security updates to the oldest edition in its support rotation when it finalizes a major operating system upgrade.
Last year, OS X 10.5, or Leopard, received its final security update in late June, about a month before Apple launched Lion. Leopard's versions of iTunes, QuickTime and Java, however, were updated after June 2011.
As usual, some users reported problems with the update.
No one problem was dominant in those reports, but the MacBook Pro-not-booting thread was heavily trafficked, with more than 1,500 views since its inception Wednesday afternoon.
Mac OS X 10.7.4 and the separate 2012-002 security update for Snow Leopard can be downloaded from Apple's support site or installed using the operating system's built-in update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Apple sends users scrambling for OS X Yosemite
- Apple unwraps OS X Yosemite public beta Thursday
- OS X Snow Leopard desertion rate accelerates after patches stop
- What makes OS X Mavericks so special?
- Apple's WWDC set for June 10-14, hints at fall launch of next iPhone
- Mountain Lion mauls other OS X editions for top spot
- Apple consistently convinces customers to upgrade OS X
- Apple to kill Messages beta for OS X Lion next month
- OS X Mountain Lion's torrid upgrade pace cools
- Apple rolls out iOS 6, upgrades Mountain Lion
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- The Truth About Virtual Computing for CAD If you're a user of graphics-intensive software such as 3D modeling, simulation and analysis, and visualization, you might be skeptical about moving to...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Simplifying Product Design In A Complex World Product design engineering has moved far beyond the confines of ever-more powerful workstations. Companies can't afford to restrict projects to using only local...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Mac OS X White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!