Apple has released a massive set of security updates for Mac OS X and a number of other applications, fixing a total of 39 separate vulnerabilities in programs including QuickTime, MobileMe and others. The company also released OS X 10.6.8.
One of the more serious bugs that Apple fixed with the huge patch release on Thursday is a vulnerability in OS X’s certificate trust policy, which governs the ways in which users’ systems handle digital certificates. The vulnerability can allow an attacker who already has a foothold on a network to eavesdrop and intercept users’ credentials or other sensitive data.
“An error handling issue existed in the Certificate Trust Policy. If an
Extended Validation (EV) certificate has no OCSP URL, and CRL checking
is enabled, the CRL will not be checked and a revoked certificate may be
accepted as valid. This issue is mitigated as most EV certificates
specify an OCSP URL,” Apple said in its advisory.The certificate trust policy issue was identified and reported by two Google researchers.
Apple also released patches for five individual vulnerabilities in QuickTime, which is one of the more widely deployed applications on the Web. It’s the default media player for a lot of OS X users, and all of the vulnerabilities that Apple fixed Thursday can be used by an attacker to run arbitrary code on remote machines.
In addition to the QuickTime and certificate bugs, Apple also fixed eight separate flaws in its MySQL implementation in OS X. The application, which ships with OS X Server, had several bugs that could be used for remote code execution. There also were five vulnerabilities in the company’s OpenSSL implementation, some of which could be used for remote code execution, as well.
Among the other applications and components that Apple patched are MobileMe, the App Store and many others.