Apple on Tuesday updated OS X 10.8 Mountain Lion, likely for one of the last times, with a combination of compatibility and reliability bug fixes as well as vulnerability patches.
The OS X 10.8.4 update -- the first from Apple since mid-March -- was accompanied by security-only updates for both OS X 10.7Lion and OS X 10.6 Snow Leopard.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Mountain Lion received at least 16 non-security bug fixes -- the number Apple called out in an advisory -- ranging from improved Calendar-to-Exchange server synchronization to allowing FaceTime video calls to non-U.S. phone numbers. A pair of fixes improved the reliability of connecting to workplace Wi-Fi networks, while others dealt with irritating issues including Macs' refusal to go into sleep mode after having run Boot Camp and a habit of its chat and texting client to mix up the order of messages.
On the security side, OS X 10.8.4 patched 31 vulnerabilities in Mountain Lion, 17 of which were labeled with the phrase "may lead to ... arbitrary code execution," Apple's way of saying the bug was critical.
A majority of the patches were aimed at open-source components integrated with Mountain Lion, such as OpenSSL (13 patches) and Ruby (8), an open-source implementation of SSL encryption and a programming language, respectively. Another four patches quashed bugs in Apple's own QuickTime media player.
One of the OpenSSL patches disabled the protocol's compression to block hacks -- Apple acknowledged that there were "known attacks" -- using techniques revealed last September by a pair of security researchers. Dubbed CRIME, the attack can decrypt session cookies from supposedly-secure HTTPS connections.
Apple listed the two researchers who came up with CRIME, Juliano Rizzo and Thai Duong, in its advisory.
Also tucked into 10.8.4 was a change in how OS X handles Java Web Start applets, yet another attempt by Apple to stymie an increasing number of attacks leveraging Java vulnerabilities.
"Starting with OS X 10.8.4, Java Web Start applications downloaded from the Internet need to be signed with a Developer ID certificate," Apple said. "Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed."
Gatekeeper is a Mountain Lion-only security tool designed to bar the installation of malware by requiring programs of all kinds to be digitally signed. By default, only software downloaded from the Mac App Store or signed with certificates Apple provides to registered developers can be installed on Mountain Lion.
Included with 10.8.4 was a Safari update that patched 26 vulnerabilities, all in WebKit, the open-source rendering engine that Apple relies on to power its browser. Most of the fixes were for critical flaws.