14 DAY TRIAL // A security update, targeting users of Mac OS X 10.6 Snow Leopard, has been released by Apple alongside OS X 10.7.3, the newest version of OS X Lion.
Over 50 vulnerabilities are listed on Apple’s Support site, some of which are pretty serious. For example in areas like SquirrelMail and Webmail, security researchers have found (and fixed) cross-site scripting vulnerabilities.
Per Apple’s support document, “SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems.”
The company advises users to visit the SquirrelMail web site for further information.
Webmail, on the other hand, suffers from a cross-scripting (XSS) issue that’s present only on OS X Lion, and does not affect Snow Leopard. According to Apple, “viewing a maliciously crafted e-mail message may lead to the disclosure of message content.”
“A cross-site scripting vulnerability existed in the handling of mail messages,” reads the description. “This issue is addressed by updating Roundcube Webmail to version 0.6. This issue does not affect systems prior to OS X Lion,” Apple clarifies.
A total of six vulnerabilities have been discovered in QuickTime, all of which could lead to an unexpected application termination or arbitrary code execution. Apple fixed them all in Security Update 2012-001 and OS X Lion 10.7.3.
Another important fix targets Data Security, with Apple noting that “An attacker with a privileged network position may intercept user credentials or other sensitive information.”
Another one is for the Address Book application. Bernard Desruisseaux of Oracle Corporation discovered that “A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed.”
He thus concluded that “An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.”
There’s a Client version and a Server version of the Security Update 2012-001 for Snow Leopard. You can download any one of them via the links below. Alternately, use the Software Update mechanism on your Mac to download and install the updates.