Friday, June 7, 2013

A Week's Worth Of Apple Security Updates:
- OS X 10.8.4
- Security Update 2013-002
- Safari 6.0.5

--

This past week, Apple provided OS X 10.8.4 Mountain Lion. Integrated into the OS X update were Security Update 2013-002 and Safari 6.0.5. For users of OS X 10.7.5 Lion, the Security Update and Safari update were available separately. For users of OS X 10.6.8 Snow Leopard, only the Security Update was available.

For a few days, the OS X 10.8.4 Combo update was corrupt on at least one Apple server, throwing "invalid checksum" errors whenever the .dmg file was attempted to be opened.



NOTE: If you downloaded the "OSXUpdCombo10.8.4.dmg" file for future use and have not yet attempted opening the file, I suggest you do so IMMEDIATELY. Apple has repaired the server problem, at least from my personal experience, providing a working replacement for the bad file.

Below are the links for the various updates and their security documents:


OS X Mountain Lion Update v10.8.4 Combo
http://support.apple.com/downloads/DL1659/en_US/OSXUpdCombo10.8.4.dmg

OS X Mountain Lion Update v10.8.4 (for updating from 10.8.3)
http://support.apple.com/downloads/DL1658/en_US/OSXUpd10.8.4.dmg

Security Update 2013-002 Server (Lion)
Security Update 2013-002 Client (Lion)

Security Update 2013-002 Server (Snow Leopard)
http://support.apple.com/downloads/DL1663/en_US/SecUpdSrvr2013-002.dmg

Security Update 2013-002 Client (Snow Leopard)
http://support.apple.com/downloads/DL1660/en_US/SecUpd2013-002.dmg

Safari 6.0.5: Only available via Software Update within OS X 10.7.5. Included with the 10.8.4 update.


About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002
http://support.apple.com/kb/HT5784

NOTE: As of this listing, Apple's security content document for Security Update 2013-002 mistakenly neglects to place OS X 10.6.8 in its "Products Affected" listing. Sad to say, this is in keeping with Apple's recent penchant for screwing up their documentation. Despite this error, further down the document can be found 25 security patches relevant to OS X 10.6.8.

Apple: You MUST improve your documentation. (0_o)

About the security content of Safari 6.0.5
http://support.apple.com/kb/HT5785



iTunes 11.0.4 for both Mac and Windows was also released this week but it contained no security patches.

Safari 6.0.5 features 26 security patches, all of which affect Webkit. 11 of the patched security holes were discovered by members of the Google Chrome Security Team. Again, I'm sorry to see Google leaving the Webkit project behind.

Security Update 2013-002 lists: 
  • 24 security patches relevant to OS X 10.8.4
  • 19 security patches relevant to OS X 10.7.5
  • 25 security patches specific to OS X 10.6.8 (as noted above).
OS X 10.8.4 includes security patches for:
  • CFNetwork
  • CoreAnimation
  • CoreMedia Playback
  • CUPS
  • Disk Management
  • OpenSSL
  • QuickDraw Manager
  • QuickTime
  • SMB
Security Update 2013-002 for 10.7.5 includes security patches for:
  • CoreMedia Playback
  • OpenSSL
  • QuickDraw Manager
  • QuickTime
  • SMB
Security Update 2013-002 for 10.6.8 includes security patches for:
  • Directory Service
  • OpenSSL
  • QuickTime
  • Ruby
I've been ranting at Apple for years to finally make QuickTime 10 entirely 64-bit. I am sad to say that has not yet happened with 10.8.4. The QuickTime Internet plugin and two Apple QuickTime components remain 32-bit. (0_o)

Recently, I've been chatting with people who believe Apple has all but abandoned QuickTime. Obviously, the QuickTime security patches provided in 2013-002 prove that to be incorrect. So what's with the antiquated QuickTime Internet plugin and components? Clearly, improving more than the security of QuickTime is NOT on Apple's radar. (0_o)

If you're interested in details about the patched CVE issues listed in the security content documents, you can check them out via the CVE Search link on the right side of this page, as well as by searching at both SecurityTracker and SecurityFocus, also linked at the right.

Share and Enjoy,
:-Derek



No comments:

Post a Comment