Patches available for OS X Lion, Mountain Lion, and Mavericks

Apr 23, 2014 08:49 GMT  ·  By

Apple has released Security Update 2014-002 for OS X 10.7 (Lion), OS X 10.8 (Mountain Lion), and OS X 10.9 (Mavericks) addressing over a dozen distinct bugs in the operating system, some shared with the iOS mobile operating system.

Security researcher Antoine Delignat-Lavaud of Prosecco at Inria Paris informed Apple of a CFNetwork HTTPProtocol flaw where an attacker in a privileged network position could obtain web site credentials.

According to the description, “Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.”

Apple addressed this flaw by instructing CFNetwork HTTPProtocol to ignore incomplete HTTP header lines. The issue was also found and patched in iOS 7 (with the release of iOS 7.1.1).

A format string issue was found in the handling of URLs by Lukasz Pilorz of runic.pl and Erik Kooistra. Affecting CoreServicesUIAgent, “This issue was addressed through additional validation of URLs,” Apple says. OSes other than Mavericks are unaffected. iOS 7.1.1 patches the same bug for users of iPhones, iPod touch players, and iPads.

A FontParser vulnerability is also disclosed in the advisory. Impacting only Mountain Lion computers, the bug (once exploited) would lead to unexpected application termination or arbitrary code execution by opening a maliciously crafted PDF file.

The problem stemmed from a buffer underflow in the handling of fonts in PDF files. Apple patched the bug through additional bounds checking after learning of its existence from Will Dormann of CERT/CC.

Power Management on OS X Mavericks 10.9.2 suffered from a vulnerability that prevented the screen from locking. Apple explains:

“If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep. This issue does not affect systems prior to OS X Mavericks.”

Other flaws were found in areas like Heimdal Kerberos, ImageIO, Intel Graphics Driver, IOKit Kernel, Kernel, Ruby, Security – Secure Transport and WindowServer. There are separate versions of Security Update 2014-002 that customers can download (tailored specifically for their OS version). For instance, the Lion version only patches a handful of bugs.