Apple released a patch Tuesday that fixes more than a dozen bugs, including a critical remote code-execution flaw in Apple Type Services. The patch release also includes a fix for a flaw in CFNetwork that enabled an attacker to intercept user credentials and other sensitive data silently on a network.
The Apple patch release plugs a total of 13 holes in a variety of OS X components and add-ons, including ClamAV, PHP and Samba. The most serious bug that Apple fixed with this release is the buffer overflow in Apple Type Services which enables an attacker to run arbitrary code on a remote machine.
“A stack buffer overlow exists in Apple Type Services’ handling of
embedded fonts. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code execution.
This issue is addressed through improved bounds checking,” Apple said in its security bulletin.
The OS X update also fixes a vulnerability in Apple’s CFNetwork framework which resulted from the framework’s support for anonymous SSL/TLS connections.
“This may allow a man-in-the-middle attacker to redirect connections and
intercept user credentials or other sensitive information. This issue
does not affect the Mail application. This issue is addressed by
disabling anonymous TLS/SSL connections,” the company said.