Apple has updated both OS X and its Safari browser, fixing a pile of security vulnerabilities, many of which can be used for remote code execution. The release of OS X Mountain Lion 10.8.4 includes patches for more than 30 bugs, most notably a set of fixes for vulnerabilities in Ruby, some of which are being exploited at this point.
This is a major security fix for OS X and in addition to the large set of patches for Ruby, there also is a long list of fixes for vulnerabilities in OpenSSL. One of the vulnerabilities fixed in OpenSSL is CVE-2012-4929, the bug that covers the compression attack on TLS 1.0 developed by security researchers Thai Duong and Juliano Rizzo. Known as the CRIME attack, the technique enables an attacker to decrypt SSL-protected sessions under some circumstances.
Apple also fixed 12 other vulnerabilities in OpenSSL by updating it to the most recent version, 0.9.8x.
Apple OS X 10.8.4 also fixes a number of vulnerabilities in Ruby that caused weaknesses in applications built on Ruby on Rails.
“Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility,” Apple said in its advisory.
The patch also includes fixes for several vulnerabilities in QuickTime as well as in other components of the operating system.
As far as Safari is concerned, the release of Safari 6.0.5 is essentially a massive fix for WebKit. The new version of the browser contains more than 25 patches for WebKit vulnerabilities.
Image from Flickr photostream of Codexian.