Apple today published a security update for Mac OS X 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks). The update addresses 13 distinct vulnerabilities in many of the aspects of Apple’s Mac OS X, for example:
- CVE-2014-1319 – an overflow in JPEG handling that can lead to Remote Code Execution (RCE) in 10.9 (Mavericks)
- CVE-2014-1315 – a format string issue in the URL handling can lead to RCE in 10.9 (Mavericks)
- CVE-2014-1314 – a Sandbox escape vulnerability in 10.8 (Mountain Lion) and 10.9 (Mavericks)
- CVE-2013-5170 – a PDF parsing vulnerability can lead to RCE in 10.8 (Mountain Lion)
An SSL bug was also addressed in CVE-2014-1295 but it is unrelated to the Heartbleed bug in OpenSSL. Apple ships with OpenSSL 0.9.8, a version that is not affected by Heartbleed.
Not surprisingly due to their similar heritage Apple also published a new version of iOS that addresses some of the same issues. Version 7.1.1. fixes three CVes in common plus another 16 in Webkit the basis for the Safari browser. Apple had addresses similar vulnerabilities with Safari 7.0.3 and 6.1.3 in early April.
We recommend installing the new versions both for Mac OS X and iOS as quickly as possible.