14 DAY TRIAL // Apple is offering new software updates to the entire Mac user base, including customers running OS X Mavericks, OS X Lion, and OS X Mountain Lion. While Mavericks users are in for quite a treat, the rest of the population is receiving some boring but important security patches.
High on the list of priorities for Security Update 2014-001 was the famous SSL/TSL flaw, which would allow “an attacker with a privileged network position [to] capture or modify data in sessions protected by SSL/TLS.”
Apple was a bit late to address this bug, but it eventually delivered the patch in OS X 10.9.2 and Security Update 2014-001.
According to the security advisory included with these two updates, a separate SSL-related flaw that would allow an attacker to decrypt data protected by SSL was also in need of fixing. However, unlike the aforementioned bug, this one resided in OS X Mountain Lion installations.
Apple explains that “[In OS X 10.8.5] there were known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode. To address these issues for applications using Secure Transport, the 1-byte fragment mitigation was enabled by default for this configuration.”
Even older versions of OS X, such as 10.7 (Lion), are targeted by the first security update deployed by Apple in 2014.
Multiple vulnerabilities existed in Apache, ATS, Certificate Trust Policy, Date and Time, File Bookmark, ImageIO, IOSerialFamily, LaunchServices, NVIDIA Drivers, PHP, and even QuickTime, all affecting OS X Lion installations and newer versions of the Mac OS.
QuickTime alone was so buggy that Apple had to deploy as many as six separate patches to secure this single application. And there’s no guarantee that all holes have been completely plugged.
Apple credits various security researchers and amateurs alike in the advisory.
Friedrich Graeter of The Soulmen GbR reported a serious App Sandbox flaw, while Felix Groebert and Meder Kydyraliev of the Google Security Team reported ATS flaws to the Cupertino giant.
Rob Ansaldo of Amherst College and Graham Bennett found a CFNetwork Cookies flaw, while Karl Smith of NCC Group sounded the alarm on CoreAnimation flaws.
Lucas Apa and Carlos Mario Penagos of IOActive Labs reported a CoreText flaw. Amateurs Michal Zalewski and @dent1zt are credited in the advisory for reporting ImageIO and IOSerialFamily flaws, respectively.
Other people credited come from the X.Org Foundation Nouveau project, Mozilla Corporation, and Mac security expert Intego.