Apple Ships Huge Set of Patches for OS X

Apple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines.

Apple patchApple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines.

One of the more serious vulnerabilities Apple fixed is the flaw that researchers Juliano Rizzo and Thai Duong discovered in the TLS 1.0 and SSL 3.0 protocols last year. The vulnerability, for which they wrote a proof-of-concept exploit tool called BEAST, is fixed in the new version of Apache that Apple included in yesterday’s patches. Exploiting the flaw enables an attacker to decrypt some SSL sessions.

“There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ’empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default,” Apple said in its advisory.

Apple also pushed out an update that revokes trust in some of the certificates issued by Malaysian CA DigiCert that were found last year to contain weak cryptographic keys.

“Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted,” Apple’s advisory said.

Among the other components that Apple patched on Wednesday are PHP, QuickTime and SquirrelMail.

Suggested articles

Discussion

  • Data13 on

    Say it isnt so?!  This the same Apple that boasted for years that they were virus-free?!  Guess all those Mac vs. PC commercials are biting ya in the butt now...  You made the virus writers focus on your products...  Enjoy!!

  • Data13 on

    Say it isnt so?!  This the same Apple that boasted for years that they were virus-free?!  Guess all those Mac vs. PC commercials are biting ya in the butt now...  You made the virus writers focus on your products...  Enjoy!!

  • Anonymous on

    Data13, OS X hasn't had a virus yet, although it has had trojans that users installed. Like any other operating system, bugs and exploits are found and patched. The difference with OS X is it's BSD Unix, which is a rather well thought out to begin with to be very secure. Mac users generally don't run anti-malware software, perhaps only ClamXav to clean the filth off Windows files before passing them on. However I must give credit to Microsoft for doing a better security and ascetics job with Windows 7 as a older user I actually like it in favor of Apple's depressing and stupid OS X Lion. Lion is their "Vista", a abortion of a operating system that should have been terminated before entering this world.
  • Anonymous on

    And another problem with Apple is this, unless you upgrade your operating system within 2 years of release of the new one, Apple will cut you off any and all security updates. Sometimes these operating system upgrades require newer hardware, as Apple will ditch your PPC or Intel 32 bit processor machines. So you have a choice of running a insecure box or buying new hardware and expensive software every 4 years. To add insult to injury, Apple doesn't widely test it's security updates, is quick to conflict with something they don't want to pay attention too anymore, like Rosetta or Flash. Apple's OS and machines are of good quality and would last a considerably long time, but they intentionally don't have any long term support, why they don't make a good choice except for the rich consumer who can toss a entire machine at the slightest issue.
  • Anonymous on

    Apple is always, too expensive and too unrealistic.

  • Anonymous on

    Apple has been around since the early 80's and still can't get a foothold in the enterprise...the proof is in the pudding folks...and for good reason...they are nothing more than a consumer machine for the simple-minded that limits you to what they want you to use and do.  They are experts at marketing hardware and an OS that is not as stable and secure as they state and as soon as the hackers turn their sights to the Apple products en mass...you will find out how unsecure they are.  

  • enoel on

    Fanboys are with us always.

    All computers need to become more secure and all operating systems and applications need security updates when vulnerabilities are discovered.

    Apple doesn't care about "The Enterprise" but  everyone from the mail room to the executive suite wants to bring their iPhones and iPads into the enterprise's network.

    And, look how Apple has suffered by ignoring the corporate computer market.

  • Anonymous on

    "my 9 year old G5 (relegated to a minor position on our home network) still gets patches, including security updates." Only the Apple programs as they are the same across OS versions, not OS 10.5 or earlier, check Keychain Access > Digitnotar and let Google assist you.
  • Anonymous on

    Apple goes after Microsoft about 10 years of security. Latest evidence is a series of viruses on Mac OS based on the date the update is not Apple's fault. Apple should focus on security for Mac OS.

    how-to-get-rid-of-blackheads.net/

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.