Apple pushed a handful of patches late last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.
The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.
Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched up its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the dialog has been removed and the system refuses any revoked package.
The update also resolved the previously reported sudo vulnerability. An attacker could’ve gained root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, has been used before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” reads the security document released in tandem with the patches Thursday.
Thursday also saw the release of Safari 5.1.10, Apple’s flagship browser. A JavaScriptCore patch fixed multiple memory corruption issues, including one where if a user visited a maliciously crafted website, it could lead to an unexpected application termination or arbitrary code execution.
10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is slated for release at the end of October.
On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.