Apple Fixes 39 Mac OS X, Apps Bugs as 'Lion' Approaches

Apple's massive security update to Snow Leopard and other Mac applications addressed multiple remote code execution and arbitrary code execution flaws.

Apple fixed 39 vulnerabilities across Mac OS X and a slew of Mac applications. The company also released OS X 10.6.8, which may be the last major update to the operating system before version 10.7 "Lion" arrives next month.

Apple closed security holes in QuickTime, MobileMe, the MySQL implementation in OS X Server and AppStore in Security Update 2011-004, the company said in its support document June 24. In Mac OS X 10.6.8 (for Snow Leopard) Apple patched three bugs in the operating system and improved protection against MacDefender fake antivirus scams and related Trojans, according to Apple's KnowledgeBase article.

The OS X 10.6.8 update also has improved IPv6 and VPN support as well as implemented enhancements to the Mac App Store to "prepare" the Mac for the upgrade to the new Lion operating system, OS X 10.7, expected in July.

"The Mac OS X v10.6.8 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility and security of your Mac," Apple said.

The 2011-004 update includes all the Snow Leopard bug fixes as well improvements in AirPort network security, issues handling maliciously crafted files in ColorSync, CoreGraphics and ATS (Apple Type Services) and a Windows ID flaw in the Samba file-sharing protocol. All of these vulnerabilities, if exploited, would have allowed the attacker to run arbitrary code on the targeted Mac.

Apple also addressed a serious vulnerability in OS X's certificate trust policy, which governs how the Mac handles digital certificates. The vulnerability could be exploited by an attacker already in the network to eavesdrop and intercept user credentials and other sensitive data. The certificate trust policy flaw was identified and reported by two Google researchers.

The issue exists if an Extended Validation certificate didn't have an address to check its validity using the OCSP (Online Certificate Status Protocol). Even if the option to verify all certificates against the CRL (certificate revocation list) was selected, the error handling issue meant the list would not be checked and revoked certificates would be accepted as valid.

"This issue is mitigated as most EV certificates specify an OCSP URL," Apple said in its advisory.

Apple fixed five vulnerabilities in QuickTime, the default media player widely used on the Web. All the bugs could have been exploited by a remote attacker to run arbitrary code. Apple also addressed eight different remote code execution flaws in the MySQL implementation that ships with OS X Server. There were five issues with Apple's OpenSSL implementation, some of which were also remote code execution bugs, as well.

The way embedded TrueType fonts were being handled in Apple Type Services could cause a heap-based buffer overflow when a document containing a maliciously crafted embedded font was viewed or downloaded, according to Apple's advisory. The flaw, which could be exploited by an attacker to execute arbitrary code, was reported by two researchers from Red Hat Security Response Team.

An AirPort vulnerability in both desktop and server versions of Mac OS X 10.5.8 allowed attackers on the same Wi-Fi network to cause the Mac to do a system reset.