Apple releases OS 10.8.4

Apple released the next update for OS X, 10.8.4. Eventually, we should learn more about the security content of the update, but at this point, the security page has not been updated yet [1].

However, Apple did distribute a list of patched vulnerabilities via e-mail (thanks Dave for sharing). The update fixes a total of 33 vulnerabilities. Here are some of the highlights:

OS 10.8.4 Update Overview
CVE #	Component	Affected Versions
2013-0982	CFNetwork	10.8 - 10.8.3	data leakage (authentication cookies)
2013-0983	CoreAnimation	10.8 - 10.8.3	code execution
2013-1024	CoreMedia	10.7-10.7.5 (Server 10.8-10.8.3	code execution
2013-5519	CUPS	10.8-10.8.3	priv. escalation
2013-0984	Directory Service	10.6.8	remote code execution as system
2013-0985	Disk Management	10.8-10.8.3	data leakage (disable file vault)
2012-4829	OpenSSL	10.6.8, 10.7-10.7.5, 10.8-10.8.3	data leakage ("CRIME" attack)
multiple	OpenSSL	10.6.8, 10.7-10.7.5, 10.8-10.8.3	DoS, data leakage
2013-0987	QuickTime QTIF Files	10.6.8, 10.7-10.7.5, 10.8-10.8.3	code execution
2013-0988	QuickTime FPX Files	10.6.8., 10.7-10.7.5, 10.8-10.8.3	code execution
2013-0989	QuickTime MP3 Files	10.8-10.8.3	code execution
multiple	Ruby on Rails	10.6.8	code execution (EXPLOITED)
2013-0990	SMB	10.7-10.7.5, 10.8-10.8.3	authenticated user may write files outside of shared directory

Other changes:

Gatekeeper will check downloaded JNLP applications and may require a valid developer ID certificate.

In addition, this update includes Safari 6.0.5 with various improvements / security fixes not listed here.

Safari 6.0.5 patches a total of 23 arbitrary code execution vulnerabilities, two cross site scriting issue and one problem with the XSS Auditor that may cause form submissions to be altered.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3655 Posts
ISC Handler

Jun 5th 2013
6 years ago

Typo above: CVE-2013-5519 here really means CVE-2012-5519; it was known publicly and the vendor notified almost 7 months ago. A user who could configure printers could also read/overwrite any file on that system.

I'd never seen a detailed list before of the vulnerabilities that are patched in OS X. The attack surface is so broad here, from network services to multimedia codecs. People don't use these devices for anything important, do they? Like accessing their email, Internet banking, software development...

Steven C.

171 Posts

Quote

Jun 5th 2013
6 years ago

OS X 10.8.4 update information - http://support.apple.com/kb/HT5730

Security content, - http://support.apple.com/kb/HT5784

Safari 6.0.5 security content - http://support.apple.com/kb/HT5785

The combo updater download is about 900 meg. It took about 20 minutes to install on a 2012 MacBook Pro running 10.8.3.

Steven C.
6 Posts

Quote

Jun 5th 2013
6 years ago

p.s. Steven, the attack surface doesn't seem any broader than the average Windows or Linux update...

Steven C.
6 Posts

Quote

Jun 5th 2013
6 years ago

Looks like there's also a Security Update 2013-002 for both Lion and Snow Leopard. Can anyone explain Apple's patch release policies to me; thought they only support the 2 most current versions. Did that end w/ their Java debacle?

Dean

135 Posts

Quote

Jun 5th 2013
6 years ago

Re: Apple software update lifecycle

Actually, its a -2 methodology. They support the existing OS version currently being installed and the two previous. So that would mean everything back to 10.6.x (snowleopard) is still being supported. When they go to a 10.9, then you will effectively only get updates for 10.7 and later.

TexISO

19 Posts

Quote

Jun 6th 2013
6 years ago

Seems that not too long ago it was -1 strategy (http://www.computerworld.com/s/article/9231513/Apple_goes_against_grain_extends_support_for_Snow_Leopard)

Dean

135 Posts

Quote

Jun 6th 2013
6 years ago