. Hot on the heels of the, Apple has pumped out a raft of security updates for Snow Leopard (OS X 10.6) and Lion (OS X 10.7) users. Here they are:. OS X Lion 10.7.4.
The blurb is at; the 40,000-foot overview is at; and the all-important security details are at. This update patches numerous vulnerabilities.
These include issues at Bronze, Silver and Gold medal levels of insecurity. There are vulnerabilities leading to information leakage (other people can look at data they’re not supposed to see, up to and including raw passwords), escalation of privilege (non-admin users can get administrative access they’re not supposed to have), and remote code execution (untrusted external content, such as a web page, can run software on your Mac without warning).
Notably, the 10.7.4 update fixes the recently-discovered. Apple inadvertently shipped a version of FileVault – the software which seamlessly encrypts your home folder – with a debugging option turned on. This caused OS X Lion to record your personal password in its log file, where others could retrieve it. Of course, passwords should never be stored in plaintext, so this was a monster-sized blunder.
Security update 2012-002 for 10.6.8. Once again, refer to for details.
This is Snow Leopard’s equivalent of the 10.7.4 update. (Some of the vulnerabilities listed in HT5281 apply only to Lion – such as the FileVault password logging fault. Some apply only to Snow Leopard. Many apply to both. Apple has chosen to document them in one place, for a total of 26 vulnerabilities patched in 19 system components.).
Remote Desktop client update. This patch is part of the OS X Lion point update to 10.7.4, but isn’t included in the 2012-002 update pack for Snow Leopard users. So if you’re on 10.6.8, you get this one separately. Safari 5.1.7. This is nice!
The notification is at and some implementational detail is at. The security fixes – which include a patch for the remote code execution issue addressed two days ago in iOS 5.1.1 – are at. New to Safari 5.1.7 is a feature which automatically turns off the Adobe Flash plugin inside your browser if it goes out of date.
When you update your Flash version – an update Apple’s own processes obviously can’t control – then the plugin gets reactivated. If you really want to run with the outdated plugin, HT5271 tells you how. But you really shouldn’t. Plugins such as Flash and Java are vigorously analysed by crooks in the hope that they’ll find a way to trick them into downloading program code without permission. What more to say? These updates should be considered either necessary (in the case of the security patches) or at the very high end of highly desirable (in the case of Safari 5.1.7).
Get ’em today! Just so you know: you will need to reboot in order to activate these updates. Follow for the latest computer security news. Follow for exclusive pics, gifs, vids and LOLs! I lamented that fact myself when I wrote up the recent iOS update: I even included a 'begging letter' to Apple staff, with a clickable link to email a bloke called, urging them to beg their employer to update HT1222 promptly whenever there is any security-related content. After all, the DLxxxx articles inevitably say, 'for info about the security content of this update, see HT1222' – which is mighty confusing to early adopters – the very people Apple want to encourage to spread the word about security-related stuff!
'These updates should be considered either necessary (in the case of the security patches) or at the very high end of highly desirable (in the case of Safari 5.1.7).' This is probably going to sound like a rhetorical question, but it's actually not: Why would someone NOT want to install these updatesor ANY security updates, for that matter?
The only reason I can think of is the possibility that the updates might break something else. That would be a nuisance, to be sure, but no more so than having one's system compromised. So my question is a serious one: Owing to the fact that one really has very little control over the number of possible attacks that can be crafted by ne'er-do-wells, is there really any difference between 'necessary' and 'highly desirable' security updates? Just curious.
I was trying to be conciliatory to those who are reluctant to install updates. After all, it's when you install an update that things are most likely to break, or to change in an unexpected way. So my motivation in calling the Safari update 'highly desirable' rather than 'necessary' was to imply that you ought to do it even though it isn't self-contained since it may deliberately affect other things on your computer. If Flash is outdated, updating Safari will immediately stop you watching YouTube. Many people need positive urging to accept 'updates' that do things of that sort But you're probably right – since the Safari update does more than just improve your safety against Flash issues (for example, by fixing remote code execution vulns), perhaps I shouldn't have made the distinction.
Perhaps you'll be comforted by the fact I did conclude with an unambiguous 'Get 'em today' 🙂. Speaking for myself, I see an annoyingly large number of 'oops we forgot about ' problems with every new bit of software.
So, while I will patch, I certainly won't be doing it today. Let someone else iron out the bigger bugs first. Particularly security updates!
I think OSX has a better rep than Windows but if the updates were perfect, there wouldn't be another one along in a while. There will always be bugs, but would you rather be at the bleeding edge of bug discovery or would you rather practice safe browsing/add a firewall rule/etc? For example, privilege escalation is a bad thing, but how many people have checked/rewritten their sudoers file, which allows escalations out of the box? (I'm not saying that's anything to do with the bug, it's just a comparable risk having a file that enables escalation when you don't know what it contains).
New important Firmware Update for DrayTek Routers DrayTek points out an important firmware update that closes a security hole. The problem is that it may be possible to intercept or start an administrator session and then change configurations on the router. According to own statements DrayTek got information about cases where changed DNS settings were reported. So you should install the new firmware in any case. DrayTek has already fixed the bug with version 3.8.8.2, since a few days the version 3.8.9 is available.
DrayTek also recommends to use only secure (TLS1.2) connections for web administration (for local and remote administration) and to disable remote access, if this is not required or until the firmware is updated. New firmware is available for the following routers:. Vigor2120. Vigor2133. Vigor2760Delight. Vigor2762. Vigor2830nv2.
Vigor2830. Vigor2850. Vigor2832. Vigor2860. Vigor2862. Vigor2862B.
Vigor2912. Vigor2925. Vigor2920. Vigor2926. Vigor2952.
Vigor3200. Vigor3220. VigorBX2000 If your model is present, you should immediately.
As you know, security always comes first.