Apple fixes irritating Mountain Lion bugs, firms up Java defenses

Keeps 25% of Mac users happy by continuing to patch 2009's Snow Leopard

Apple on Tuesday updated OS X Mountain Lion, likely for one of the last times, with a combination of compatibility and reliability bug fixes as well as vulnerability patches.

The update to OS X 10.8.4 -- the first from Apple since mid-March -- was accompanied by security-only updates for both OS X 10.7, aka Lion, and OS X 10.6, better known as Snow Leopard.

Mountain Lion received at least 16 non-security bug fixes -- the number Apple called out in an advisory -- ranging from improved Calendar-to-Exchange server synchronization to allowing FaceTime video calls to non-U.S. phone numbers. A pair of fixes improved the reliability of connecting to workplace Wi-Fi networks, while others dealt with irritating issues including Macs' refusal to go into sleep mode after having run Boot Camp and a habit of its chat and texting client to mix up the order of messages.

On the security side, OS X 10.8.4 patched 31 vulnerabilities in Mountain Lion, 17 of which were labeled with the phrase "may lead to ... arbitrary code execution," Apple's way of saying the bug was critical.

A majority of the patches were aimed at open-source components integrated with Mountain Lion, such as OpenSSL (13 patches) and Ruby (8), an open-source implementation of SSL encryption and a programming language, respectively. Another four patches quashed bugs in Apple's own QuickTime media player.

One of the OpenSSL patches disabled the protocol's compression to block hacks -- Apple acknowledged that there were "known attacks" -- using techniques revealed last September by a pair of security researchers. Dubbed CRIME, the attack can decrypt session cookies from supposedly-secure HTTPS connections.

Apple listed the two researchers who came up with CRIME, Juliano Rizzo and Thai Duong, in its advisory.

Also tucked into 10.8.4 was a change in how OS X handles Java Web Start applets, yet another attempt by Apple to stymie an increasing number of attacks leveraging Java vulnerabilities.

"Starting with OS X 10.8.4, Java Web Start applications downloaded from the Internet need to be signed with a Developer ID certificate," Apple said. "Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed."

Gatekeeper is a Mountain Lion-only security tool designed to bar the installation of malware by requiring programs of all kinds to be digitally signed. By default, only software downloaded from the Mac App Store or signed with certificates Apple provides to registered developers can be installed on Mountain Lion.

Included with 10.8.4 was a Safari update that patched 26 vulnerabilities, all in WebKit, the open-source rendering engine that Apple relies on to power its browser. Most of the fixes were for critical flaws.

Eighteen of the 26 reported WebKit vulnerabilities were credited to researchers either employed at Google or outsiders with long histories of receiving bug bounties from Google.

Only one of bugs was uncovered by Apple.

That could be a problem in the future, as Google is in the middle of switching from WebKit to its own Blink engine for Chrome and Chrome OS: Traditionally, Google engineers and the company's flock of bug finders have uncovered the bulk of WebKit vulnerabilities.

Apple also patched Macs running Lion and Snow Leopard with Security Update 2013-002, a companion to 10.8.4. The Snow Leopard update arrived a record 11 months after the introduction of Mountain Lion, signaling that Apple has changed its support policy and will keep patching "n-2" long after "n," the current edition of OS X, has shipped.

Traditionally, Apple has dropped support of n-2 at the launch of n, but the back-to-back releases of Lion and Mountain Lion in 2011 and 2012, and Snow Leopard's still-sizable share, has altered Apple's policy. In May, Snow Leopard powered one in four Macs, the same as Lion.

Apple will introduce OS X 10.9, Mountain Lion's successor, next Monday at its Worldwide Developers Conference, where it will probably assign it a feline moniker and name a launch date and price. While Apple will continue to patch Mountain Lion -- perhaps for several years -- once OS X 10.9 reaches customers, the Cupertino, Calif. company will stop serving up non-security bug fixes like the ones offered Tuesday for Mountain Lion.

OS X 10.8.4 and Security Update 2013-002 can be retrieved by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right. The updates can also be downloaded manually from Apple's support site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityMac OS XMalware and Vulnerabilities

More about AppleApple.FaceTimeGoogleMacsMicrosoftMozillaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place