14 DAY TRIAL // The second major security update for 2012 is out for Mac users running any version of Mac OS X between 10.6.8 (Snow Leopard) and 10.7.3 (Lion) Client and Server.
OS X Lion v10.7.4 and Security Update 2012-002 for Snow Leopard both contain the same patches and can be downloaded via Software Update preferences, or from Apple’s Downloads site, the Mac maker informs customers.
To be clear, Lion users needn’t download Security Update 2012-002. All they require is OS X 10.7.4.
Roughly 40 bugs are patched in this week’s release. Around three dozen are plugged solely in Snow Leopard, and one issue in particular requires Lion users’ upmost attention.
We’re talking about the FileVault vulnerability documented on May 5th by security researcher David Emery, with DIE Consulting, who revealed that an old version of the encryption tool, working under OS X 10.7.3, could store user account passwords as plain text.
Apple’s official description of the flaw reads:
An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories.
OS X 10.7.4 only does half the job of protecting customers against having their passwords leaked to a third party. After applying the update, customers are still required to securely remove any remaining records, manually.
With Security Update 2012-002 and OS X 10.7.4, Apple further patched flaws in departments like Bluetooth, curl, Directory Service, HFS, ImageIO, Kernel, libsecurity, libxml, LoginUIFramework, PHP, Quartz Composer, QuickTime, Ruby, Samba, Security Framework, Time Machine, and X11.
Snow Leopard and Lion users can download their respective updates using the links below.
Download Security Update 2012-002 (Free)