Monday, June 24, 2013

On Vacation but:
Java updates from Oracle and Apple
(Be sure to have the UNmessed-up
Apple Java update!!!)
and Adobe Flash Update

--

I'm on a break while I work on other things. But here is some quickie news. I expect, if you're a regular reader, you know how to dig up the URLs and CVE reports by now.

I) MASSIVE CRITICAL Java update from both Oracle and Apple, including 40 (FORTY) security patches. Apple's update is for Java version 1.6 only, the part of Java included in OS X. The update is for OS X 10.6 - 10.8.

II) Apple MESSED-UP their original Java update release, which was labeled "JavaForOSX2013-003". This mess KILLED Java and must be updated with what replaced it: "JavaForOSX2013-004". From my experience, Software Update did NOT provide me with the updated version. I had to grab oo4 myself and apply it myself. You may have to do so as well.

Here is an article to help you sort out whether you got STUNG by Apple's mess or not, and how to clean it up. Thank you to 9to5Mac.com:

Bug in Apple Java update – now fixed, but check you have the correct version

III) Adobe tossed out a scheduled Flash update that patched one critical security hole. If you use Flash any more, be sure you have applied this latest update.


OTHER AMUSING NEWS: 

I'm running into hilarious FUD about the MacKeeper crapware from none other than one of their competitors. They claim you can REMOVE crappy MacKeeper by installing THEIR crappy software instead. Needless to say, avoid replacing crap with crap. If you foolishly installed MacKeeper, go to their website to learn how to UNinstall it.

Also amusing: Apparently crappy MacKeeper has been sold to some other company, who apparently have changed none of crappy ZeoBITs' evil marketing moron tactics. But at least it is good to know that everyone's efforts to kick ZeoBIT in the dangly bits has been successful. ZeoBIT is now out of the picture, hurray. Let's hope their crapware is soon to follow.


Also note: There has been a rash of Microsoft Office specific malware. I personally don't care or follow such malware. You're on your own if you still put up with Microsoft. But it's worth noting that Office malware continues. Check out my net buddy Thomas Reed's 'The Safe Mac' security blog for details. I believe Intego and Sophos have been following this scourge as well. Links to their sites are on the right of this page.

Enjoy the summer!
Stay cool.
Stay kewl.

:-Derek

Friday, June 7, 2013

A Week's Worth Of Apple Security Updates:
- OS X 10.8.4
- Security Update 2013-002
- Safari 6.0.5

--

This past week, Apple provided OS X 10.8.4 Mountain Lion. Integrated into the OS X update were Security Update 2013-002 and Safari 6.0.5. For users of OS X 10.7.5 Lion, the Security Update and Safari update were available separately. For users of OS X 10.6.8 Snow Leopard, only the Security Update was available.

For a few days, the OS X 10.8.4 Combo update was corrupt on at least one Apple server, throwing "invalid checksum" errors whenever the .dmg file was attempted to be opened.



NOTE: If you downloaded the "OSXUpdCombo10.8.4.dmg" file for future use and have not yet attempted opening the file, I suggest you do so IMMEDIATELY. Apple has repaired the server problem, at least from my personal experience, providing a working replacement for the bad file.

Below are the links for the various updates and their security documents:


OS X Mountain Lion Update v10.8.4 Combo
http://support.apple.com/downloads/DL1659/en_US/OSXUpdCombo10.8.4.dmg

OS X Mountain Lion Update v10.8.4 (for updating from 10.8.3)
http://support.apple.com/downloads/DL1658/en_US/OSXUpd10.8.4.dmg

Security Update 2013-002 Server (Lion)
Security Update 2013-002 Client (Lion)

Security Update 2013-002 Server (Snow Leopard)
http://support.apple.com/downloads/DL1663/en_US/SecUpdSrvr2013-002.dmg

Security Update 2013-002 Client (Snow Leopard)
http://support.apple.com/downloads/DL1660/en_US/SecUpd2013-002.dmg

Safari 6.0.5: Only available via Software Update within OS X 10.7.5. Included with the 10.8.4 update.


About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002
http://support.apple.com/kb/HT5784

NOTE: As of this listing, Apple's security content document for Security Update 2013-002 mistakenly neglects to place OS X 10.6.8 in its "Products Affected" listing. Sad to say, this is in keeping with Apple's recent penchant for screwing up their documentation. Despite this error, further down the document can be found 25 security patches relevant to OS X 10.6.8.

Apple: You MUST improve your documentation. (0_o)

About the security content of Safari 6.0.5
http://support.apple.com/kb/HT5785



iTunes 11.0.4 for both Mac and Windows was also released this week but it contained no security patches.

Safari 6.0.5 features 26 security patches, all of which affect Webkit. 11 of the patched security holes were discovered by members of the Google Chrome Security Team. Again, I'm sorry to see Google leaving the Webkit project behind.

Security Update 2013-002 lists: 
  • 24 security patches relevant to OS X 10.8.4
  • 19 security patches relevant to OS X 10.7.5
  • 25 security patches specific to OS X 10.6.8 (as noted above).
OS X 10.8.4 includes security patches for:
  • CFNetwork
  • CoreAnimation
  • CoreMedia Playback
  • CUPS
  • Disk Management
  • OpenSSL
  • QuickDraw Manager
  • QuickTime
  • SMB
Security Update 2013-002 for 10.7.5 includes security patches for:
  • CoreMedia Playback
  • OpenSSL
  • QuickDraw Manager
  • QuickTime
  • SMB
Security Update 2013-002 for 10.6.8 includes security patches for:
  • Directory Service
  • OpenSSL
  • QuickTime
  • Ruby
I've been ranting at Apple for years to finally make QuickTime 10 entirely 64-bit. I am sad to say that has not yet happened with 10.8.4. The QuickTime Internet plugin and two Apple QuickTime components remain 32-bit. (0_o)

Recently, I've been chatting with people who believe Apple has all but abandoned QuickTime. Obviously, the QuickTime security patches provided in 2013-002 prove that to be incorrect. So what's with the antiquated QuickTime Internet plugin and components? Clearly, improving more than the security of QuickTime is NOT on Apple's radar. (0_o)

If you're interested in details about the patched CVE issues listed in the security content documents, you can check them out via the CVE Search link on the right side of this page, as well as by searching at both SecurityTracker and SecurityFocus, also linked at the right.

Share and Enjoy,
:-Derek