Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. OS X 10.8.3 fixes 21 total vulnerabilities, and also includes a new version of the malware removal tool for Apple machines.
The latest set of patches for Apple OS X comprises a lot of important security patches, but the most interesting one is the fix for the Java issue. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn’t quite enough to protect users of some versions of OS X.
“Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled. Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory,” Apple said in its advisory.
Many of the vulnerabilities in OS X that Apple fixed could be used for remote code execution. One of those is a buffer overflow in QuickTime that could allow an attacker to run arbitrary code on a vulnerable machine. Among the other fixes in the update is a change that revokes trust in some fraudulent SSL certificates issued months ago by TURKTRUST.
“Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates,” Apple said.