This article originally appeared in TidBITS on 2013-09-12 at 3:21 p.m.
The permanent URL for this article is: http://tidbits.com/article/14104
Include images: Off

OS X 10.8.5 Fixes Nasty Text Rendering Bug

by Josh Centers

While Apple continues to move toward the upcoming debut of OS X 10.9 Mavericks, the company has quietly pushed out OS X Mountain Lion Update 10.8.5 [1] with a handful of stability and performance fixes. The free update is available via the Mac App Store, with delta [2] (273.72 MB — from 10.8.4) and combo [3] (831.13 MB — from any previous version of 10.8) updaters ready for download from Apple’s Web site. Though we haven’t heard of any significant problems with the update, it’s always a good idea to wait a few days to see if any arise.

[image link] [4]

Bugs fixed include one that prevented Apple Mail from displaying messages, another that stopped the screensaver from starting automatically, and a third that stopped a smart card from unlocking preference panes in System Preferences. The update also enhances performance in three areas: AFP file transfers over 802.11ac Wi-Fi, large file transfers over Ethernet, and Open Directory authentication. Also, the update improves Xsan reliability and bundles in the bug fixes in MacBook Air (Mid 2013) Software Update 1.0 (for details, see “MacBook Air (Mid 2013) Software Update 1.0,” 22 July 2013).

But perhaps the most important change is one Apple mentioned only in a note at the end of the update’s security release notes: a patch for a nasty text rendering bug that could cause Messages and Safari to crash, and cause Wi-Fi errors if a network was named with the characters in question (see “Text Display Bug Can Render Apps Unusable [5],” 30 August 2013). After installing 10.8.5, we tested sample URLs that had previously caused crashes, and can confirm that Apple has squashed this bug, which had already been fixed in iOS 7 and Mavericks. It presumably still exists in the current iOS 6.1.3; we anticipate a 6.1.4 update to iOS to fix it as well.

OS X Mountain Lion Update 10.8.5 also includes a variety of security improvements, most notably a fix for an issue where an attacker could gain superuser access by resetting the system clock. (For details, see “Hackers Can Root Macs by Going Back in Time [6],” 30 August 2013.)

Also plugged are security holes in CoreGraphics, ImageIO, and QuickTime that could permit malicious PDFs or movie files to cause application crashes or arbitrary code execution.

Additionally, the update fixes other user-level vulnerabilities, including Installer packages that could be opened after certificate revocation, a bug that could allow users with screen sharing access to bypass the screen lock, and a vulnerability in Mobile Device Management that could disclose passwords to local users.

Finally, 10.8.5 addresses a number of security vulnerabilities on the Unix end, via updates to the Apache Web server, the BIND DNS server, the ClamAV virus scanner, the IPSec security package, the PHP scripting language, and the PostgreSQL database. Plus, a bug in the kernel was fixed that could enable a local denial of service attack.

[1]: http://support.apple.com/kb/HT5815
[2]: http://support.apple.com/kb/DL1675
[3]: http://support.apple.com/kb/DL1676
[4]: http://tidbits.com/resources/2013-09/Mountain-Lion.png
[5]: http://tidbits.com/article/14067
[6]: http://tidbits.com/article/14068