Almost three dozen vulnerabilities fixed, from Snow Leopard to Mountain Lion

Sep 13, 2013 07:29 GMT  ·  By

In tandem with OS X 10.8.5, Apple has released Security Update 2013-004, a separate installer package for OS X users looking to stay out of harm’s way.

Weighing in at around 100MB, Security Update 2013-004 is available in three different versions for three different OS X iterations: Snow Leopard, Lion, and Mountain Lion.

Around three dozen vulnerabilities are addressed in this release, some more serious than others.

For example, Certificate Trust Policy (on every OS X version from Mac OS X 10.6.8 onwards) has received new certificates, while others have been removed from the list of system roots.

In the Mobile Device Management department, Per Olofsson at the University of Gothenburg reported to Apple that passwords could be disclosed to other local users because of a flaw.

“A password was passed on the command-line to mdmclient, which made it visible to other users on the same system. The issue was addressed by communicating the password through a pipe,” reads the bug’s description.

Power Management suffered from an issue on Mountain Lion where the screen saver may not start after the specified time period. The issue, addressed through “improved lock handling,” is not credited to any discoverer in particular.

A Screen Lock bug, allowing a user with screen sharing access to bypass the screen lock when another user is logged in, has been addressed.

A sudo flaw affecting OS X versions from 10.7.5 to the latest Mountain Lion release is a bit more serious.

According to Apple, “an attacker with control of an admin user's account may be able to gain root privileges without knowing the user's password.”

If you’re curious how, Apple says it’s actually pretty easy: “by setting the system clock.” Full details are available in the company’s security advisory.

Download Security Update 2013-004 Client (Free)

Download Security Update 2013-004 Server (Free)