Apple fixes Mountain Lion bugs, firms up Java defenses

Keeps 25% of Mac users happy by continuing to patch 2009's Snow Leopard

Apple security

Apple on Tuesday updated OS X Mountain Lion, likely for one of the last times, with a combination of compatibility and reliability bug fixes as well as vulnerability patches.

The update to OS X 10.8.4 -- the first from Apple since mid-March -- was accompanied by security-only updates for both OS X 10.7, aka Lion, and OS X 10.6, better known as Snow Leopard.

Mountain Lion received at least 16 non-security bug fixes -- the number Apple called out in an advisory -- ranging from improved Calendar-to-Exchange server synchronization to allowing FaceTime video calls to non-U.S. phone numbers. A pair of fixes improved the reliability of connecting to workplace Wi-Fi networks, while others dealt with irritating issues including Macs' refusal to go into sleep mode after having run Boot Camp and a habit of its chat and texting client to mix up the order of messages.

On the security side, OS X 10.8.4 patched 31 vulnerabilities in Mountain Lion, 17 of which were labeled with the phrase "may lead to ... arbitrary code execution," Apple's way of saying the bug was critical.

A majority of the patches were aimed at open-source components integrated with Mountain Lion, such as OpenSSL (13 patches) and Ruby (8), an open-source implementation of SSL encryption and a programming language, respectively. Another four patches quashed bugs in Apple's own QuickTime media player.

One of the OpenSSL patches disabled the protocol's compression to block hacks -- Apple acknowledged that there were "known attacks" -- using techniques revealed last September by a pair of security researchers. Dubbed CRIME, the attack can decrypt session cookies from supposedly-secure HTTPS connections.

Apple listed the two researchers who came up with CRIME, Juliano Rizzo and Thai Duong, in its advisory.

Also tucked into 10.8.4 was a change in how OS X handles Java Web Start applets, yet another attempt by Apple to stymie an increasing number of attacks leveraging Java vulnerabilities.

"Starting with OS X 10.8.4, Java Web Start applications downloaded from the Internet need to be signed with a Developer ID certificate," Apple said. "Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed."

Gatekeeper is a Mountain Lion-only security tool designed to bar the installation of malware by requiring programs of all kinds to be digitally signed. By default, only software downloaded from the Mac App Store or signed with certificates Apple provides to registered developers can be installed on Mountain Lion.

Included with 10.8.4 was a Safari update that patched 26 vulnerabilities, all in WebKit, the open-source rendering engine that Apple relies on to power its browser. Most of the fixes were for critical flaws.

Eighteen of the 26 reported WebKit vulnerabilities were credited to researchers either employed at Google or outsiders with long histories of receiving bug bounties from Google.

Only one of bugs was uncovered by Apple.

That could be a problem in the future, as Google is in the middle of switching from WebKit to its own Blink engine for Chrome and Chrome OS: Traditionally, Google engineers and the company's flock of bug finders have uncovered the bulk of WebKit vulnerabilities.

Apple also patched Macs running Lion and Snow Leopard with Security Update 2013-002, a companion to 10.8.4. The Snow Leopard update arrived a record 11 months after the introduction of Mountain Lion, signaling that Apple has changed its support policy and will keep patching "n-2" long after "n," the current edition of OS X, has shipped.

Traditionally, Apple has dropped support of n-2 at the launch of n, but the back-to-back releases of Lion and Mountain Lion in 2011 and 2012, and Snow Leopard's still-sizable share, has altered Apple's policy. In May, Snow Leopard powered one in four Macs, the same as Lion.

Apple will introduce OS X 10.9, Mountain Lion's successor, next Monday at its Worldwide Developers Conference, where it will probably assign it a feline moniker and name a launch date and price. While Apple will continue to patch Mountain Lion -- perhaps for several years -- once OS X 10.9 reaches customers, the Cupertino, Calif. company will stop serving up non-security bug fixes like the ones offered Tuesday for Mountain Lion.

OS X 10.8.4 and Security Update 2013-002 can be retrieved by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right. The updates can also be downloaded manually from Apple's support site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is

Read more about security in Computerworld's Security Topic Center.

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.