Apple Hardens Security with Mac OS X 10.7.4 and Safari 5.1.7
Apple last week released two updates that are important largely for their security-related changes: Mac OS X 10.7.4 and Safari 5.1.7 for Mac OS X.
Mac OS X 10.7.4 — First up is Mac OS X 10.7.4, which fixes a security error introduced in 10.7.3 that exposed a user’s password if they upgraded to Lion while leaving the legacy version of FileVault enabled. The flaw was due to a developer leaving debugging code enabled, which logged the user’s password in plain text. This problem affected only the older version of FileVault that encrypted a user’s home directory, as opposed to the FileVault 2 feature introduced in Lion that encrypts the entire disk. To be exposed, you would have had to upgrade a legacy FileVault
system to Lion and keep the older FileVault in place.
Although this extremely serious bug essentially negated any password security on affected systems, it’s unlikely that many users were exposed.
In addition to a number of other security-related changes, Mac OS X 10.7.4 corrects or improves a few additional behaviors. It fixes an issue where the “Reopen windows when logging back in” setting was always enabled, improves the reliability of copying files to an SMB server, and fixes a problem that prevented files from copying to a server. Also, compatibility has been improved with some British third-party USB keyboards. Permission issues that cropped up when using the Get Info window’s option to “Apply to enclosed items” have also been addressed.
Other changes include better printing to an SMB print queue, improved performance when connecting to a WebDAV server, a fix for using a proxy auto-configuration (PAC) file, and reliability of binding and logging into Active Directory accounts. Raw image compatibility for recent cameras has also been updated, including the Nikon D800 and Canon EOS 5D Mark III.
Mac OS X 10.7 Lion Server also receives updates related to file sharing, Profile Manager, mobile accounts, server administration, the email and Web servers, and Xsan.
The Mac OS X 10.7.4 Update is available via Software Update as a 729.6 MB download; standalone updates are available in four forms. If you’re going to bother to download an update instead of relying on Software Update, it’s worth getting the combo update that will update any version of 10.7, since there have been a few issues in the past with the smaller delta updaters.
- Mac OS X Lion Update 10.7.4 (692.68 MB)
- Mac OS X Lion Update 10.7.4 Combo (1.4 GB)
-
Mac OS X Lion Update 10.7.4 Server (738.71 MB)
-
Mac OS X Lion Update 10.7.4 Server Combo (1.49 GB)
Safari 5.1.7 — An even more interesting security-related improvement comes from Safari 5.1.7 for both 10.7 Lion and 10.6 Snow Leopard. It’s a roughly 45 MB download via Software Update or from Apple’s Support Downloads page.
One of the biggest security vulnerabilities on Macs (or any system) comes from running out-of-date software. This is especially problematic with browser plug-ins like Adobe Flash that are easy to exploit remotely, but that few users think to upgrade.
Safari will now check the version of Flash you are running and disable it if it is not capable of updating itself to a current version. Flash versions 10.1.102.64 (yes, that’s a version number, not an IP address) and older don’t include the capability to update themselves to new releases, requiring users to update manually. Newer versions check for updates automatically, which minimizes the chances a user will be exposed to Flash-related security issues.
If you are running Flash 10.1.102.64 or older, Safari will disable it and redirect you to download and install a current version from Adobe. Flash is otherwise unaffected.
This is similar to a feature Mozilla added to the Firefox Web browser in 2009 and is a strong move to protect Mac users. Flash is frequently a source of security issues and this limits the window during which Safari users are likely to be exposed to known Flash vulnerabilities.
Safari 5.1.7 also improves browser responsiveness in low memory situations, fixes a problem that could prevent Web pages from responding after using a pinch-to-zoom gesture, and addresses several security vulnerabilities related to WebKit.
Not seeing Safari 5.1.7 in Software Update? Mac OS X 10.7.4 includes Safari 5.1.6, which provides some unspecified stability improvements. After updating Mac OS X, you will then be prompted to install Safari 5.1.7.
"Negated any security?" Calm down. It was a serious bug, true. This only applied to some small subset of users. It would require physical access or admin rights to unveil the password. But then, what do you need the other user's password for? Are there any reported breaches using this bug in the wild?
By looking at Apple forum this upgrade is not bug free. I am waiting what happens next.
Not sure whether to credit this Safari update or Amazon, but I noticed after the update certain zoom boxes on Amazon product pages that haven't been working right for over a year are working now. You previously couldn't scroll around the the zoomed image, now you can.
Well, for me, Mac OS X 10.7.4 has given me a lesson in trust; changes to the Apple Remote Desktop client in 10.7.4 has made my system unable to reliably connect to Mac OS X 10.4.11 ARD servers—something that 10.7.3 used to do without flaw.
Backing out the changes also showed me another problem unrelated to the 10.7.4 update, though; in trying to restore back to 10.7.3, Time Machine restoration for entire startup volumes blows away your Recovery HD partition (if you have one).
So... thanks to the 10.7.4 upgrade, I have learned to:
• back up startup disks with Disk Utility rather than Time Machine prior to an upgrade, and
• don't upgrade Lion without a fast Internet connection handy! Recovery will still require a fast, reliable Internet connection to fetch either or both the Recovery partition or Lion itself should you ever have such immense trouble.
Luckily for me, I am not using FileVault 2.
--tonza
Yeah ... and now QuickTime Pro 7 is broken! So far, you can no longer use "Loop" or "Loop Back and Forth". I was told I could use QT 10 ... but it can't export files to anything!