Update naar OS X 10.9.2 dicht gevaarlijk SSL-lek voor Macs
Apple heeft vorige week een belangrijke beveiligingsupdate uitgegeven voor zijn besturingssysteem OS X. Iedereen die OS X 10.9, Mavericks genaamd, op zijn iMac, Mac Mini, Mac Pro of MacBook heeft kreeg de update naar versie 10.9.2 aangeboden.
OS X 10.9.2 brengt diverse verbeteringen, maar is in de eerste plaats een beveiligingsupdate. Zo wordt het gevaarlijke SSL-lek - dat uitgebreid in het nieuws was en al misbruikt werd door internet criminelen - dichtgeplakt. Door deze kwetsbaarheid konden beveiligde SSL/TLS-verbindingen - die bijvoorbeeld gebruikt worden voor internet bankieren - afgeluisterd worden waardoor kwaadwillenden wachtwoorden en andere vertrouwelijke gegevens konden buitmaken.
Behalve dit lek worden nog 22 andere lekken in OS X 10.9 gerepareerd. Ook oudere versie van OS X, namelijk 10.7.5 Lion en 10.8.5 Mountain Lion, krijgen nog enkele beveiligingsupdates. Vanwege de aard van de lekken, en dan met name het SSL-lek, wordt aangeraden om snel te updaten (kijk onder Apple-knop | Software-update).
Naast de pleisters is er meer. Nieuwe functies zijn de mogelijkheid om audio-gesprekken (dus zonder beeld) te voeren in FaceTime. Dit maakt FaceTime meer vergelijkbaar met VoIP-software Skype, dat behalve videobellen ook kan internet bellen. Ook kun je nu wisselgesprekken voeren met FaceTime. Tevens is de optie toegevoegd om specieke afzenders te blokkeren in chat-client iMessage.
Verder zijn veel verbeteringen doorgevoerd aan mailprogramma Apple Mail (aantal ongelezen berichten wordt weer correct weergegeven) en browser Safari (automatisch aanvullen). Een probleem waardoor het geluid op sommige Macs vervormd werd is gecorrigeerd. Verbindingen via het SMB2-protocol om bestanden over te zetten zijn weer betrouwbaarder. Ten slotte zijn nog diverse fouten gerepareerd. Details kun je hieronder nalezen.
OS X 10.9.2 is een update voor alle Macs. Als je een oudere versie van OS X draait (10.6, 10.7 of 10.8) dan kun je tegenwoordig trouwens gratis upgraden naar OS X 10.9.2 Mavericks.
Uitgaveopmerkingen:
- Biedt de mogelijkheid om FaceTime-audiogesprekken te voeren
- Biedt ondersteuning voor wisselgesprekken tijdens FaceTime-audio- en -videogesprekken
- Biedt de mogelijkheid om inkomende iMessages van individuele zenders te blokkeren
- Bevat algemene verbeteringen aan de stabiliteit en compatibiliteit van Mail
- Verbetert de nauwkeurigheid van het aantal ongelezen berichten in Mail
- Lost een probleem op waarbij Mail geen nieuwe berichten van bepaalde aanbieders kan ontvangen
- Verbetert de compatibiliteit van de functie voor het automatisch invullen van gegevens in Safari
- Verhelpt een probleem dat op bepaalde Macs kan leiden tot de vervorming van audio
- Verbetert de betrouwbaarheid bij het verbinden met een bestandsserver via SMB2
- Verhelpt een probleem waarbij VPN-verbindingen mogelijk worden onderbroken
- Verbetert VoiceOver-navigatie in Mail en Finder
- Verbetert de betrouwbaarheid van VoiceOver bij het navigeren op websites
- Verbetert de compatibiliteit met Gmail-archieven
- Bevat verbeteringen voor Gmail-labels
- Verbetert het surfen met Safari en de installatie via Software-update bij gebruik van een webproxy met identiteitscontrole
- Verhelpt een probleem waarbij de Mac App Store mogelijk updates voor apps aanbiedt die al up-to-date zijn
- Verbetert de betrouwbaarheid van de schijfloze NetBoot-voorziening in OS X Server
- Verhelpt de ondersteuning voor het stuurprogramma van brailleleesregels voor specifieke HandyTech-beelschermen
- Lost een probleem op bij het gebruik van veilig opstarten op sommige systemen
- Verbetert de compatibiliteit van ExpressCard met sommige MacBook Pro 2010-modellen
- Lost een probleem op waarbij niet kan worden afgedrukt met door Windows XP gedeelde printers
- Lost een probleem op met Sleutelhangertoegang waarbij verschillende keren kan worden gevraagd de sleutelhanger Lokale onderdelen te ontgrendelen
- Verhelpt een probleem waarbij bepaalde voorkeurenpanelen in Systeemvoorkeuren niet kunnen worden geopend
- Verhelpt een probleem waarbij de migratie niet kan worden voltooid terwijl de Configuratie-assistent is geopend
- Biedt een verbetering voor de verificatie van SSL-verbindingen
OS X Mavericks 10.9.2 and Security Update 2014-001
-
Apache
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to cross-site scripting. These issues were addressed by updating Apache to version 2.2.26.
CVE-ID
CVE-2013-1862
CVE-2013-1896
-
App Sandbox
Available for: OS X Mountain Lion v10.8.5
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process. A compromised sandboxed application could abuse this to bypass the sandbox. This issue was addressed by preventing sandboxed applications from specifying arguments. This issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR
-
ATS
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of handling of Type 1 fonts. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1254 : Felix Groebert of the Google Security Team
-
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A memory corruption issue existed in the handling of Mach messages passed to ATS. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1262 : Meder Kydyraliev of the Google Security Team
-
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: An arbitrary free issue existed in the handling of Mach messages passed to ATS. This issue was addressed through additional validation of Mach messages.
CVE-ID
CVE-2014-1255 : Meder Kydyraliev of the Google Security Team
-
ATS
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A buffer overflow issue existed in the handling of Mach messages passed to ATS. This issue was addressed by additional bounds checking.
CVE-ID
CVE-2014-1256 : Meder Kydyraliev of the Google Security Team
-
Certificate Trust Policy
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Root certificates have been updated
Description: The set of system root certificates has been updated. The complete list of recognized system roots may be viewed via the Keychain Access application.
-
CFNetwork Cookies
Available for: OS X Mountain Lion v10.8.5
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies until Safari was closed. This issue was addressed through improved handling of session cookies. This issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett
-
CoreAnimation
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreAnimation's handling of images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1258 : Karl Smith of NCC Group
-
CoreText
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution
Description: A signedness issue existed in CoreText in the handling of Unicode fonts. This issue is addressed through improved bounds checking.
CVE-ID
CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs
-
curl
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
Description: When using curl to connect to an HTTPS URL containing an IP address, the IP address was not validated against the certificate. This issue does not affect systems prior to OS X Mavericks v10.9.
CVE-ID
CVE-2014-1263 : Roland Moriz of Moriz GmbH
-
Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
CVE-ID
CVE-2014-1266
-
Date and Time
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: An unprivileged user may change the system clock
Description: This update changes the behavior of the systemsetup command to require administrator privileges to change the system clock.
CVE-ID
CVE-2014-1265
-
File Bookmark
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a file with a maliciously crafted name may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of file names. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1259
-
Finder
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Accessing a file's ACL via Finder may lead to other users gaining unauthorized access to files
Description: Accessing a file's ACL via Finder may corrupt the ACLs on the file. This issue was addressed through improved handling of ACLs.
CVE-ID
CVE-2014-1264
-
ImageIO
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted JPEG file may lead to the disclosure of memory contents
Description: An uninitialized memory access issue existed in libjpeg's handling of JPEG markers, resulting in the disclosure of memory contents. This issue was addressed by better JPEG handling.
CVE-ID
CVE-2013-6629 : Michal Zalewski
-
IOSerialFamily
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
Impact: Executing a malicious application may result in arbitrary code execution within the kernel
Description: An out of bounds array access existed in the IOSerialFamily driver. This issue was addressed through additional bounds checking. This issue does not affect systems running OS X Mavericks v10.9 or later.
CVE-ID
CVE-2013-5139 : @dent1zt
-
LaunchServices
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
Impact: A file could show the wrong extension
Description: An issue existed in the handling of certain unicode characters that could allow filenames to show incorrect extensions. The issue was addressed by filtering unsafe unicode characters from display in filenames. This issue does not affect systems running OS X Mavericks v10.9 or later.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre of Intego
-
NVIDIA Drivers
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Executing a malicious application could result in arbitrary code execution within the graphics card
Description: An issue existed that allowed writes to some trusted memory on the graphics card. This issue was addressed by removing the ability of the host to write to that memory.
CVE-ID
CVE-2013-5986 : Marcin Kościelnicki from the X.Org Foundation Nouveau project
CVE-2013-5987 : Marcin Kościelnicki from the X.Org Foundation Nouveau project
-
PHP
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most serious of which may have led to arbitrary code execution. These issues were addressed by updating PHP to version 5.4.24 on OS X Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
CVE-ID
CVE-2013-4073
CVE-2013-4113
CVE-2013-4248
CVE-2013-6420
-
QuickLook
Available for: OS X Mountain Lion v10.8.5
Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may have led to an unexpected application termination or arbitrary code execution. This issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1260 : Felix Groebert of the Google Security Team
-
QuickLook
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Downloading a maliciously crafted Microsoft Word document may lead to an unexpected application termination or arbitrary code execution
Description: A double free issue existed in QuickLook's handling of Microsoft Word documents. This issue was addressed through improved memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
-
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ftab' atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1246 : An anonymous researcher working with HP's Zero Day Initiative
-
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of 'dref' atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day Initiative
-
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ldat' atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1248 : Jason Kratzer working with iDefense VCP
-
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PSD images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1249 : dragonltx of Tencent Security Team
-
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An out of bounds byte swapping issue existed in the handling of 'ttfo' elements. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1250 : Jason Kratzer working with iDefense VCP
-
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of 'stsz' atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day Initiative
-
Secure Transport
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode. To address these issues for applications using Secure Transport, the 1-byte fragment mitigation was enabled by default for this configuration.
CVE-ID
CVE-2011-3389 : Juliano Rizzo and Thai Duong
Reageer