Apple releases OS 10.8.4

Published: 2013-06-05
Last Updated: 2013-06-05 02:43:44 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Apple released the next update for OS X, 10.8.4. Eventually, we should learn more about the security content of the update, but at this point, the security page has not been updated yet [1]. 

However, Apple did distribute a list of patched vulnerabilities via e-mail (thanks Dave for sharing). The update fixes a total of 33 vulnerabilities. Here are some of the highlights:


OS 10.8.4 Update Overview
  CVE # Component Affected Versions  
2013-0982 CFNetwork 10.8 - 10.8.3 data leakage (authentication cookies)
2013-0983 CoreAnimation 10.8 - 10.8.3 code execution
2013-1024 CoreMedia 10.7-10.7.5 (Server
code execution
2013-5519 CUPS 10.8-10.8.3 priv. escalation
2013-0984 Directory Service 10.6.8 remote code execution as system
2013-0985 Disk Management 10.8-10.8.3 data leakage (disable file vault)
2012-4829 OpenSSL 10.6.8, 10.7-10.7.5, 10.8-10.8.3 data leakage ("CRIME" attack)
multiple OpenSSL 10.6.8, 10.7-10.7.5, 10.8-10.8.3 DoS, data leakage
2013-0987 QuickTime QTIF Files 10.6.8, 10.7-10.7.5, 10.8-10.8.3 code execution
2013-0988 QuickTime FPX Files 10.6.8., 10.7-10.7.5, 10.8-10.8.3 code execution
2013-0989 QuickTime MP3 Files 10.8-10.8.3 code execution
multiple Ruby on Rails 10.6.8 code execution (EXPLOITED)
2013-0990 SMB 10.7-10.7.5, 10.8-10.8.3 authenticated user may write files outside of shared directory

Other changes:

Gatekeeper will check downloaded JNLP applications and may require a valid developer ID certificate.

In addition, this update includes Safari 6.0.5 with various improvements / security fixes not listed here. 

Safari 6.0.5 patches a total of 23 arbitrary code execution vulnerabilities, two cross site scriting issue and one problem with the XSS Auditor that may cause form submissions to be altered.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: apple os x
6 comment(s)
Diary Archives