Apple closes numerous holes in Mac OS X and Safari
With the 10.7.4 Mac OS X Lion update and security update 2012-002 for 10.6, Apple has closed numerous critical vulnerabilities in Mac OS X and its components. The most prominent fix in this update sees the Apple developers have stopping Lion from storing plain text passwords. Due to a mistake in the previous update, Lion stored the passwords of users who mounted their home/user directory from a network volume (NFS, AFP or SMB) in the system log unencrypted and readable by anyone with admin or physical access.
Those who continued to use the first version of the FileVault encryption after upgrading from Snow Leopard to Lion were also affected. The problem was caused by a forgotten debug option being left enabled in the HomeDirMounter. As the update does not have the ability to delete the accidentally stored data, Apple has provided instructions how to track down log files that could potentially contain plain text passwords. The company has also closed a hole in the kernel that, despite FileVault being activated, caused unencrypted files to be left behind when Lion was in hibernation.
Further vulnerabilities have been fixed in components such as the LoginUIFramework, where a race condition allowed guest users of Lion to log in as another user without having to enter a password. Apple has also closed a hole in the HFS filesystem that allowed Lion systems to be infected with malicious code by mounting a specially crafted disk image. Curl is now protected against problems such as the "BEAST" attacks on encrypted connections. The developers have also fixed various non-security issues.
One fix, specifically for Mac OS X 10.6, Snow Leopard, is for the Samba server which, if active, allowed remote attackers to inject malicious code into a system without providing any valid access credentials. The Samba server is not user in Mac OS X 10.7.
Apple has also released another security update for its Safari browser for Mac OS X and Windows. A memory corruption issue in WebKit allowed systems to be infected with malicious code when a specially crafted web page was visited. Another hole enabled a specially crafted page to fill in forms on other pages. A cross-site scripting hole that was discovered at Google's Pwnium hacker contest has also been closed.
(fab)