The Mac Security Blog
We recently wrote about how Apple’s recent security update for Snow Leopard was causing problems with applications running in the Rosetta environment – PowerPC applications being emulated to run on Intel processors. Well Apple has responded quickly, and has released Security Update 2012-001 v1.1, an update to that update, to address this issue. Early reports suggest that it resolves the problem caused by the first update.
Apple describes the update as follows:
Security Update 2012-001 v1.1 is now available for Mac OS X v10.6.8 systems to address a compatibility issue.
Version 1.1 of this update removes the ImageIO security fixes released in Security Update 2012-001.
Snow Leopard users can download this update via Software Update, or from Apple’s Downloads page.
A number of outlets are reporting that the latest Mac OS X security update for Snow Leopard, Security Update 2012-001, which we reported on yesterday, is causing problems on Macs running Mac OS X 10.6 Snow Leopard. According to TidBITS, “many people [who have applied the update] are reporting problems with PowerPC-based applications that rely on Snow Leopard’s Rosetta environment.”
Adam Engst of TidBITS said that he:
can confirm that on my Mac Pro running 10.6.8 with Security Update 2012-001 installed, both Eudora 6.2.4 and Adobe Acrobat Pro 7 crash when using File > Open, or File > Save As, and neither will print at all, although they don’t crash. I’ve also confirmed that the problem is not related to utility software like Default Folder X by reproducing it in a clean test account.
For now, a several users at Nebraska High School have created a fix for this problem, called RosettaFix. The only other solution, according to TidBITS, is to “reinstall Snow Leopard from your original disks.”
We’ll post more if Apple releases a fix for this.
Apple has released Mac OS X 10.7.3, the latest update to Mac OS X 10.7 Lion. This update patches more than 50 vulnerabilities, from Apache to X11, and includes a number of updates to PHP, QuickTime and more. It also protects against some bogus certificates, issued to DigiCert Malaysia:
Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted.
These fixes are included in the overall 10.7.3 update, and a separate security update, Security Update 2012-001, is available for Mac OS X 10.6.8. Users can download the updates via Software Update, or from Apple’s Downloads page.
For more information about these updates, see this document.
The Mozilla Foundation has released Firefox 10, the latest version of their web browser, which fixes eight vulnerabilities, six of which are rated critical. These include memory corruption issues, cross-scripting vulnerabilities and more. (See the Firefox security advisory.)
Firefox 10 also features some “powerful new developer tools,” for web designers, and a new system for checking add-on compatibility.
The Mozilla Foundation also released Firefox 3.6.26, with patches for five vulnerabilities, because some people are still using the two-year old version of the program for compatibility reasons.
Users can automatically update their copy of Firefox by launching it, choosing Firefox > About Firefox, and clicking Check for Updates. Alternatively, you can download a copy here, or, for version 3.6.26, here.
The Opera web browser has been updated to fix a high-risk cross-scripting vulnerability, as well as a low-risk JavaScript issue. Version 11.61 also improves stability. In addition, Opera has added an auto-update mechanism. When launching version 11.60, users see an upgrade notice, and a message indicates that, “You will never have to upgrade manually again, because the newest version of Opera contains an auto-update mechanism.”
Google has updated its Chrome web browser for three high-risk vulnerabilities, bringing the program to version number 16.0.912.77. Google’s release notes point out that one of the bugs, regarding Safe Browsing navigation, “was fixed in 16.0.912.75 but accidentally excluded from the release notes,” so this release actually mentions four vulnerabilities, but only actually fixes three of them.
The Chrome browser auto-updates on Mac OS X, so you don’t have to worry about downloading a new version.