Apple is tuning up its Mac OS X 10.8 Mountain Lion operating system with a new incremental update providing security, stability and bug fixes. The Mac OS X 10.8.5 update follows the 10.8.4 update, which when it debuted in June provided users with security fixes for over 50 flaws.
On the security front for Mac OS X 10.8.5, Apple is providing users with updated packages for a number of open-source applications that are part of the operating system. Among the updated open-source apps are new versions of the Apache Web server, the BIND DNS server, the PHP language and the PostgreSQL database.
OS X also makes use of the open-source OpenSSL, a Secure Sockets Library used to encrypt data transmission. According to Apple, multiple vulnerabilities exist in OpenSSL, the most serious of which may lead to disclosure of user data. The OS X 10.8.5 update now includes a new version of OpenSSL that has fixed those issues.
One of the ways that SSL in general works is that the operating system or the Web browser will trust a given certificate because it is signed and issued by a recognized certificate authority. As part of the OS X 10.8.5 update, Apple is updating its Certificate Trust Policy, adjusting the root certificates from the certificate authorities that are trusted. Apple is also patching its installer for a security flaw that could have potentially enabled software packages to be installed even after the security certificate that they have been signed with has been revoked.
“When Installer encountered a revoked certificate, it would present a dialog with an option to continue,” Apple warned. “The issue was addressed by removing the dialog and refusing any revoked package.”
Privilege Escalation
The OS X 10.8.5 update provides a number of security fixes for issues related to privilege escalation. One of the patched components is the Apple Mac OS X screen lock feature that is intended to keep unauthorized users out of a Mac.
“A user with screen sharing access may be able to bypass the screen lock when another user is logged in,” Apple warned. “A session management issue existed in the screen lock’s handling of screen sharing sessions.”
Another flaw is one in the sudo feature in OS X, which gives users root access to their device. Apple is patching sudo in 10.8.5 for a flaw that could potentially enable an attacker to get root access without having a password.
“By setting the system clock, an attacker may be able to use sudo to gain root privileges on systems where sudo has been used before,” Apple’s advisory states. “This issue was addressed by checking for an invalid timestamp.”
Graphics
A pair of graphics-related systems on OS X are also part of the update. Apple’s CoreGraphics and ImageIO capabilities are being patched for flaws that could enable an attacker to execute arbitrary code simply by having a user view a malicious PDF file.
On the non-security front, the 10.8.5 update provides a number of stability bug fixes. Among the fixed issues are improvements to Mac OS X’s WiFi transfer performance as well as improved large file transfer reliability over Ethernet.
The 10.8.5 update is likely to be the last major update for Apple’s Mountain Lion before it is replaced in October by the 10.9 Mavericks release.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.