Apple has released OS X 10.8.4 update to fix bugs and close many security holes. The update includes Safari 6.0.5 update which fixes security issues found in the browser. A security update for earlier Mac OS X versions, Security Update 2013-002, was also released along.
According to the security advisory released by Apple, OS X Mountain Lion v10.8.4 and Security Update 2013-002 update fixes 31 vulnerabilities in the operating system. Further 26 security issues were fixed in Safari 6.0.5.
OS X 10.8 operating system flaws fixed in 10.8.4 update
- OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.
- A buffer overflow existed in the handling of PICT images in Quickdraw is fixed.
- A buffer overflow in the handling of MP3 files and FPX files is now fixed in QuickTime.
- If you have enabled SMB file sharing, an authenticated user may be able to write files outside the shared directory. This issue is now fixed.
- 7 fixes were related to Ruby on Rails remote execution holes discovered earlier this year is now fixed. According to Apple, multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the
- Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies in CFNetwork.
- An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking in CoreAnimation.
- An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks in CoreMedia Playback
- A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface.
- A remote code execution which existed in the directory server’s handling of messages from the network is now fixed. This issue affects only Mac OS X 10.6.8, Mac OS X Server 10.6.8 and it does not affects OS X Lion or OS X Mountain Lion systems.
The Safari 6.0.5 update fixes multiple memory corruption problems discovered in WebKit. A cross-site scripting issue which existed in the handling of iframes, copied and pasted data in HTML documents is fixed in WebKit. Another issue found in XSS Auditor is now fixed. This issue may allow a malicious alteration of the behavior of a form submission when XSS Auditor rewrite URLs to prevent cross-site scripting attacks.
Non-security fixes in OS X 10.8.4 update includes better compatibility when connecting to certain enterprise Wi-Fi networks, improved Microsoft Exchange compatibility in Calendar, improved VoiceOver compatibility with text in PDF documents, fixes an issue that prevented FaceTime calls to non-US numbers and fixes an issue that may prevent scheduled sleep after using Boot Camp.