![]() All versions of OS X prior to 10.9 support MD5 hashes, which were recently proved to be insecure. The OS X 10.9 release also improves Mac security by disabling support for X.509 security certificates that were protected by MD5 hashes. “A man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data.” “These versions are subject to a protocol weakness when using block ciphers,” Apple warned. Prior to the Mavericks release, OS X only supported the SSLv3 and TLS 1.0 versions of SSL. For the first time Apple OS X is now enabling TLS 1.2, which is a more recent and more secure implementation of transport layer security. The Mavericks release also includes several key data and transport encryption improvements. “The result is that customers can still view Flash Player content while benefiting from these added security protections.” Encryption Improvements “By providing this extra layer of protection to Safari users on OS X Mavericks, we can make it one step harder to exploit our mutual customers,” Peleus Uhley, platform security strategist at Adobe, wrote in a blog post. For the first time on Mac OS X, Adobe’s Flash Player running in Apple’s Safari Web browser will work with the Apple App Sandbox. “A compromised sandboxed application could abuse this to bypass the sandbox.”Īnother boost to sandboxing in Mavericks comes from Adobe. “The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process,” Apple stated. As it turns out, Mac OS X prior to the new 10.9 update was vulnerable to an App Sandbox bypass. The approach known as “sandboxing” isolates processes from each other and the underlying operating system in a bid to reduce risk. “This issue was addressed by additional validation of hotkey events.” Sandboxing ![]() “By registering for a hotkey event, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled,” Apple warned. There is also a CoreGraphics flaw that could have enabled an application to log keystrokes. ![]() One of the vulnerabilities could potentially enable an attacker to execute arbitrary code if a malicious PDF file is viewed. Apple’s security notification on the issue explains that “the –blockApp option did not properly block applications from receiving network connections.”Īpple fixed three separate vulnerabilities affecting OS X’s CoreGraphics library in the 10.9 update. The flaw is identified as CVE-2013-5165 and has an exploitability score of 10, meaning it can be remotely exploited by an attacker without authentication. One of the new updates in 10.9 is a fix for a vulnerability in OS X’s application firewall. The last OS X 10.8 Mountain Lion release prior to this week’s 10.9 Mavericks update is the 10.8.5 release which debuted in September. Most of the security components in the Mavericks release are not currently available in the most recent OS X 10.8 update, which provides a good reason for users of older OS X versions to update as soon as possible. Mavericks includes over 200 new features and a long list of security updates. Apple updated its OS X desktop and server operating systems this week with the 10.9 Mavericks release.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |