14 DAY TRIAL // The newly-released OS X Lion v10.7.3 and Security Update 2012-001 are two software updates that have something very important in common - patches for numerous areas of the two operating systems that, until now, have been vulnerable to attack.
There’s a single technical note that details the contents of both updates, which may confuse some users.
Here, we will focus on some of the most important patches that only target computers running OS X Lion. For the fixes targeting Snow Leopard, see this article.
Address Book is one of the core areas Apple patched up in OS X 10.7.3 at the instructions of Bernard Desruisseaux of Oracle Corporation, who found that an attacker in a privileged network position may intercept CardDAV data.
Affecting all versions of Lion prior to 10.7.3, the bug was a “downgrade issue [that] caused Address Book to attempt an unencrypted connection if an encrypted connection failed.”
A CFNetwork vulnerability, discovered and reported to Apple by Erling Ellingsen of Facebook, opened the door to the disclosure of sensitive information, should the user navigate to a maliciously crafted website.
“An issue existed in CFNetwork's handling of malformed URLs. When accessing a maliciously crafted URL, CFNetwork could send the request to an incorrect origin server,” reads the description.
Apple clarifies that “This issue does not affect systems prior to OS X Lion.,” meaning Snow Leopard and Leopard operating systems are untouched by this flaw.
Internet Sharing also suffered from an exploitable vulnerability in Lion. An anonymous researcher contacted Apple to reveal that “a Wi-Fi network created by Internet Sharing may lose security settings after a system update.”
This was discovered during beta testing of OS X 10.7.3. The issue is addressed in the final, shipping version of the software.
There’s more. In case you didn’t know, if you stick to OS X 10.7.2 “a remote attacker may access new backups created by the […] system.” It’s a long shot, but the damage could be huge to some people if it happened to them.
Michael Roitzsch of the Technische Universität Dresden discovered during Lion beta testing that Time Machine didn’t verify that the same device was being used for subsequent backup operations, when he designated a remote volume for backups.
“An attacker who is able to spoof the remote volume could gain access to new backups created by the user's system,” reads the description. “This issue is addressed by verifying the unique identifier associated with a disk for backup operations,” according to Apple.
Many other issues, including a couple of cross-scripting flaws affecting Webmail and SquirrelMail are detailed in Apple’s Support document - About the security content of OS X Lion v10.7.3 and Security Update 2012-001.