This article originally appeared in TidBITS on 2013-09-12 at 3:23 p.m.
The permanent URL for this article is: http://tidbits.com/article/14107
Include images: Off

Security Update 2013-004 for Lion and Snow Leopard

by Josh Centers

Apple has released Security Update 2013-004 [1] for Mac OS X 10.7 Lion and 10.6 Snow Leopard, both of which receive two versions: Lion [2] (113.23 MB) and Lion Server [3] (161.17 MB), plus Snow Leopard [4] (331.5 MB) and Snow Leopard Server [5] (406.49 MB).

Most notably, the updates fix an issue in Lion where an attacker could gain superuser access by resetting the system clock. (For details, see “Hackers Can Root Macs by Going Back in Time [6],” 30 August 2013.)

Additionally, these updates fix other user-level vulnerabilities in Lion, including security holes in QuickTime that could permit malicious movie files to cause application crashes or arbitrary code execution, Installer packages that could be opened after certificate revocation, and an issue in Mobile Device Management that could disclose passwords to local users.

Also fixed are a number of security vulnerabilities on the Unix end, via updates to the Apache Web server, the BIND DNS server (Lion only), the ClamAV virus scanner, the IPSec security package, the PHP scripting language, and the PostgreSQL database (Lion only). (Free, various sizes)

[1]: http://support.apple.com/kb/HT5880
[2]: http://support.apple.com/kb/DL1677
[3]: http://support.apple.com/kb/DL1679
[4]: http://support.apple.com/kb/DL1678
[5]: http://support.apple.com/kb/DL1680
[6]: http://tidbits.com/article/14068