Apple fixes irritating Mountain Lion bugs, firms up Java defenses
Keeps 25% of Mac users happy by continuing to patch 2009's Snow Leopard
Computerworld - Apple on Tuesday updated OS X Mountain Lion, likely for one of the last times, with a combination of compatibility and reliability bug fixes as well as vulnerability patches.
The update to OS X 10.8.4 -- the first from Apple since mid-March -- was accompanied by security-only updates for both OS X 10.7, aka Lion, and OS X 10.6, better known as Snow Leopard.
Mountain Lion received at least 16 non-security bug fixes -- the number Apple called out in an advisory -- ranging from improved Calendar-to-Exchange server synchronization to allowing FaceTime video calls to non-U.S. phone numbers. A pair of fixes improved the reliability of connecting to workplace Wi-Fi networks, while others dealt with irritating issues including Macs' refusal to go into sleep mode after having run Boot Camp and a habit of its chat and texting client to mix up the order of messages.
On the security side, OS X 10.8.4 patched 31 vulnerabilities in Mountain Lion, 17 of which were labeled with the phrase "may lead to ... arbitrary code execution," Apple's way of saying the bug was critical.
A majority of the patches were aimed at open-source components integrated with Mountain Lion, such as OpenSSL (13 patches) and Ruby (8), an open-source implementation of SSL encryption and a programming language, respectively. Another four patches quashed bugs in Apple's own QuickTime media player.
One of the OpenSSL patches disabled the protocol's compression to block hacks -- Apple acknowledged that there were "known attacks" -- using techniques revealed last September by a pair of security researchers. Dubbed CRIME, the attack can decrypt session cookies from supposedly-secure HTTPS connections.
Apple listed the two researchers who came up with CRIME, Juliano Rizzo and Thai Duong, in its advisory.
Also tucked into 10.8.4 was a change in how OS X handles Java Web Start applets, yet another attempt by Apple to stymie an increasing number of attacks leveraging Java vulnerabilities.
"Starting with OS X 10.8.4, Java Web Start applications downloaded from the Internet need to be signed with a Developer ID certificate," Apple said. "Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed."
Gatekeeper is a Mountain Lion-only security tool designed to bar the installation of malware by requiring programs of all kinds to be digitally signed. By default, only software downloaded from the Mac App Store or signed with certificates Apple provides to registered developers can be installed on Mountain Lion.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions IT security decision-makers from companies with 100 to 5,000 employees evaluates the current endpoint security solution market based on Forrester's own market data,...
- Case Study: Intuit Turns to Self-Service IT Intuit empowered its users to resolve their own IT issues with a consumer-like experience to free IT to focus on more strategic initiatives....
- Automation for a Better Tomorrow Check out the five most common annoyances facing enterprise IT service desks today, and how automation can resolve all of them. Download the...
- Beyond the Enterprise App Store Leverage proactive, secure and automated IT Service delivery to move beyond the traditional App Store and empower your users. Read the white paper...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!