Time to Polish Your Apple: OS X & Safari Updates

Severity: High

Summary:

• These vulnerabilities affect: Apple OS X 10.6.x-10.8.x and Safari 6.0.4 and below
• How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files (often multimedia files), or visiting malicious websites
• Impact: Various results; in the worst case, an attacker can execute code with your privileges
• What to do: Install the appropriate OS X and Safari, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released two security updates to fix many vulnerabilities in OS X and Safari (Mac version only). If you use Mac computers, you should apply these significant updates quickly. I summarize Apple’s alerts below:

• OS X Update Fixes 33 Vulnerabilities

Apple released an update to fix vulnerabilities in all current versions of OS X. The update patches about 33 (number based on CVE-IDs) security issues in 11 of the components that ship as part of OS X, including QuickTime, OpenSSL, and Ruby. The flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing a malicious file. Most of these file handling issue involve multimedia files, such as movies and pictures. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.

WatchGuard rating: Critical

• Safari Update (6.0.5) for Mac

Apple also released an update to fix about 26 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). The majority of these are memory corruption issues that attackers could exploit to run arbitrary code on your Mac, with your privileges. Of course, they’d have to lure you to a web site with malicious code in order to trigger the attack. Many of these vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser. See Apple’s alert for more detail.

WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.

Personally, I have not had any problems with Apple’s automatic updates, so I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

• Apple’s June OS X security alert
• Apple’s June Safari security alert
• Apple’s manual download page

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.