Apple last week released two updates that are important largely for their security-related changes: Mac OS X 10.7.4 and Safari 5.1.7 for Mac OS X.
Mac OS X 10.7.4 -- First up is Mac OS X 10.7.4, which fixes a security error introduced in 10.7.3 that exposed a user’s password if they upgraded to Lion while leaving the legacy version of FileVault enabled. The flaw was due to a developer leaving debugging code enabled, which logged the user’s password in plain text. This problem affected only the older version of FileVault that encrypted a user’s home directory, as opposed to the FileVault 2 feature introduced in Lion that encrypts the entire disk. To be exposed, you would have had to upgrade a legacy FileVault system to Lion and keep the older FileVault in place.
Although this extremely serious bug essentially negated any password security on affected systems, it’s unlikely that many users were exposed.
In addition to a number of other security-related changes, Mac OS X 10.7.4 corrects or improves a few additional behaviors. It fixes an issue where the “Reopen windows when logging back in” setting was always enabled, improves the reliability of copying files to an SMB server, and fixes a problem that prevented files from copying to a server. Also, compatibility has been improved with some British third-party USB keyboards. Permission issues that cropped up when using the Get Info window’s option to “Apply to enclosed items” have also been addressed.
Other changes include better printing to an SMB print queue, improved performance when connecting to a WebDAV server, a fix for using a proxy auto-configuration (PAC) file, and reliability of binding and logging into Active Directory accounts. Raw image compatibility for recent cameras has also been updated, including the Nikon D800 and Canon EOS 5D Mark III.
Mac OS X 10.7 Lion Server also receives updates related to file sharing, Profile Manager, mobile accounts, server administration, the email and Web servers, and Xsan.
The Mac OS X 10.7.4 Update is available via Software Update as a 729.6 MB download; standalone updates are available in four forms. If you’re going to bother to download an update instead of relying on Software Update, it’s worth getting the combo update that will update any version of 10.7, since there have been a few issues in the past with the smaller delta updaters.
Mac OS X Lion Update 10.7.4 (692.68 MB)
Mac OS X Lion Update 10.7.4 Combo (1.4 GB)
Mac OS X Lion Update 10.7.4 Server (738.71 MB)
Mac OS X Lion Update 10.7.4 Server Combo (1.49 GB)
Safari 5.1.7 -- An even more interesting security-related improvement comes from Safari 5.1.7 for both 10.7 Lion and 10.6 Snow Leopard. It’s a roughly 45 MB download via Software Update or from Apple’s Support Downloads page.
One of the biggest security vulnerabilities on Macs (or any system) comes from running out-of-date software. This is especially problematic with browser plug-ins like Adobe Flash that are easy to exploit remotely, but that few users think to upgrade.
Safari will now check the version of Flash you are running and disable it if it is not capable of updating itself to a current version. Flash versions 10.1.102.64 (yes, that’s a version number, not an IP address) and older don’t include the capability to update themselves to new releases, requiring users to update manually. Newer versions check for updates automatically, which minimizes the chances a user will be exposed to Flash-related security issues.
If you are running Flash 10.1.102.64 or older, Safari will disable it and redirect you to download and install a current version from Adobe. Flash is otherwise unaffected.
This is similar to a feature Mozilla added to the Firefox Web browser in 2009 and is a strong move to protect Mac users. Flash is frequently a source of security issues and this limits the window during which Safari users are likely to be exposed to known Flash vulnerabilities.
Safari 5.1.7 also improves browser responsiveness in low memory situations, fixes a problem that could prevent Web pages from responding after using a pinch-to-zoom gesture, and addresses several security vulnerabilities related to WebKit.
Not seeing Safari 5.1.7 in Software Update? Mac OS X 10.7.4 includes Safari 5.1.6, which provides some unspecified stability improvements. After updating Mac OS X, you will then be prompted to install Safari 5.1.7.