Apple Security Update Patches Mac OS X
Apple this week patched 51 vulnerabilities in Mac OS X, most of them critical, in 2012's first security update.
Both Mac OS X 10.7, also known as Lion, and 10.6, better known as Snow Leopard, were updated with fixes. The two operating systems were last updated in mid-October 2011.
Some Lion users reported post-update catastrophes. In a quickly-growing thread on the Apple support forum, users said that after updating, every application crashed when launched.
Among the patches were a pair that addressed a vulnerability in SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 that was demonstrated last September by researchers who crafted a hacking tool dubbed BEAST, for "Browser Exploit Against SSL/TLS."
Apple had previously patched the same bug in iOS and other vendors, including Microsoft and Mozilla, had also beat Apple to this patch punch.
The company was also late to the patching party with the revocation of trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority (CA). Last year, researchers found that Digicert had issued 22 certificates with weak 512-bit keys and missing certificate extensions and revocation information.
Microsoft and Mozilla revoked trust in Digicert nearly three months ago.
Apple patched six vulnerabilities in QuickTime, the media player bundled with Mac OS X, that could be triggered with malicious image, audio or video files, said Apple in its advisory .
Of the 51 total flaws, 40 were tagged by Apple with its usual "arbitrary code execution" phrase, the company's way of saying that the bugs were critical and could be used by attackers to hijack a Mac with a working exploit.
One of the vulnerabilities could be exploited in a "drive-by" attack, which only requires duping users into browsing to a malicious site to be successful.
As usual, the security update quashed bugs in numerous modules of the operating system, including open-source elements that Apple integrates with its own code. Fixes affected the Apache, ColorSync, OpenGL, PHP and X11 components, among others.
Mac OS X 10.7.3, the third update since Apple shipped Lion in July 2011, also included non-security fixes and changes that handled bugs in Wi-Fi -- Apple said it had taken care of one where the wireless connection wouldn't re-establish after bringing a Mac out of sleep mode -- and made several improvements to the OS's integration with Windows Server's Active Directory, which oversees authentication on enterprise networks.
Apple has issued fixes for bugs in Lion's Wi-Fi functionality before, notably in Mac OS X 10.7's first update last August.
The upgrade to Snow Leopard was a security-only update identified as 2012-001.
As part of the Lion and Snow Leopard updates, Apple bumped Safari to version 5.1.3.
Some Mac owners, however, were very unhappy with what happened to their machines after the Lion update.
"Just updated to 10.7.3 and everything crashes," said someone identified as "albert421" in a message Wednesday that kicked off a long thread. "All apps all windows will just pop out error with CUI CUI CUI CUI."
Others chimed in with similar reports, with some saying that they had successfully recovered by restoring a Time Machine backup, using Lion's recovery partition or reinstalling Mac OS X.
One tipster suggested that frustrated users download and install the Combo update -- a much larger file -- if they could boot their Mac in "safe mode" by pressing the Shift key as the machine starts.
Mac OS X 10.7.3 and the separate 2012-001 security update for Snow Leopard can be downloaded at the Apple site or installed using the operating system's built-in update service.
Apple has stopped issuing updates to Mac OS X 10.5, aka Leopard.
According to Web metrics company Net Applications, Lion powered 34 percent or just over a third, of all Macs that went online last month. Leopard accounted for 15 percent of all Macs.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about mac os in Computerworld's Mac OS Topic Center.