RealTime IT News

Black Hat Vulnerabilities Get Apple's Attention

Apple's (NASDAQ: AAPL) second update to its Mac OS X 10.6 Snow Leopard operating system contains multiple fixes for vulnerabilities that were previously publicly disclosed and fixed on other operating systems.

Mac OS X 10.6.2 includes several fixes for SSL security issues that researcher Dan Kaminsky first disclosed at the Black Hat security conference in July.

One of the SSL-related fixes is for the libsecurity library to remove support for X.509 security certificates that have been signed with an MD2 cryptographic hash. As Kaminsky disclosed in his presentation earlier this year, MD2 is an old hash and can potentially be spoofed. However, many modern X.509 certificates are signed using the MD5 hash, so such the risk from MD2 is limited.

An update for OS X's Certificate Assistant patches for a NULL character vulnerability in SSL certificates, which was also revealed at Black Hat this past summer. The potential risk of the vulnerability, according to Apple, is that user could be tricked into accepting an SSL certificate for a different domain than the one they intended to visit.

The SSL updates are not the first time that Apple has been slow to patch a flaw first disclosed by Dan Kaminsky at Black Hat. In 2008, Apple was also behind every other major operating system vendor in patching the highly publicized DNS flaw that Kaminsky found.

The Black Hat-related security updates are not the only late updates for this new Apple release.

The new Apple update also addresses multiple Apache Web server vulnerabilities that Apache itself fixed in August. Mac OS X 10.6.2 now includes Apache 2.2.13, which fixes multiple publicly disclosed vulnerabilities in the popular open source Web server.

OS X 10.6.2 isn't all about fixing old flaws, with Apple itself discovering a few vulnerabilities that it is now patching.

Printing a document with a Mac could potentially have led to a security risk via the CUPS (Common Unix Printing System) that OS X uses.

"An issue in CUPS may lead to cross-site scripting and HTTP response splitting," Apple states in its advisory. "Accessing a maliciously crafted Web page or URL may allow an attacker to access content available to the current local user via the CUPS Web interface. This could include print system configuration and the titles of jobs that have been printed."

In addition to the security fixes, OS X 10.6.2 addresses numerous bug and stability issues, including one that Apple said could have triggered an OS X system to log a user out unexpectedly. There are also fixes for font display bugs and overall graphics display improvements.

The 10.6.2 update is Apple's second update to its latest operating system release. It follows the 10.6.1 update by two months. The first 10.6 Snow Leopard release came out at the end of August.