14 DAY TRIAL // Apple this week rolled out Security Update 2013-002, the company’s second maintenance update this year, targeting newly found vulnerabilities in several OS X versions, including Server installments.
Security Update 2013-002 is available for OS X 10.6 (Snow Leopard), OS X 10.7 (Lion) and OS X 10.8 (Mountain Lion), including their respective Client and Server iterations. Let’s look at some examples of patched flaws.
For OS X Mountain Lion in particular, the latest version of Apple’s desktop OS, the security update addresses a total of 26 bugs.
Affecting OS X Mountain Lion v10.8 to v10.8.3 installations, a CFNetwork bug caused permanent cookies to be saved after quitting Safari, even when Private Browsing was enabled.
Because of this, “An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used,” says the advisory.
Some patches are only targeted at Snow Leopard, Apple’s 2009 Mac OS.
“An issue existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges,” says Apple.
Clarifying that the issue does not affect Lion and Mountain Lion customers, Apple assures users that said flaw has been addressed in Security Update 2013-002 “through improved bounds checking.”
As far as OS X Lion is concerned, most of the bugs documented by Apple target the platform. Here’s just one example where a user (presumably with bad intentions) may write files outside the shared directory.
“Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control,” says Apple.