Apple has released a massive set of patches for a wide range of security vulnerabilities in a number of its products and components, including OSX Lion and QuickTime. The patches, which are rolled up in OS X 10.7.3, fix a slew of serious bugs, many of which can be used to execute remote code on vulnerable machines.
One of the more serious vulnerabilities Apple fixed is the flaw that researchers Juliano Rizzo and Thai Duong discovered in the TLS 1.0 and SSL 3.0 protocols last year. The vulnerability, for which they wrote a proof-of-concept exploit tool called BEAST, is fixed in the new version of Apache that Apple included in yesterday’s patches. Exploiting the flaw enables an attacker to decrypt some SSL sessions.
“There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ’empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default,” Apple said in its advisory.
Apple also pushed out an update that revokes trust in some of the certificates issued by Malaysian CA DigiCert that were found last year to contain weak cryptographic keys.
“Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted,” Apple’s advisory said.
Among the other components that Apple patched on Wednesday are PHP, QuickTime and SquirrelMail.