More than half of the 52 vulnerabilities fixed by Apple could enable attackers to carry out “arbitrary code execution”, which means the systems could be hijacked.
The security update plugs vulnerabilities ranging from Apache flaws to problems with certificates issued to DigiCert Malaysia. Last year, researchers found that Digicert had issued 22 certificates with weak keys and missing certificate extensions and revocation information.
Among the patches were ones that addressed a vulnerability in SSL 3.0 and TLS 1.0, flaws that were demonstrated last September by researchers who crafted a hacking tool dubbed the BEAST.
In addition, Apple patched six vulnerabilities in the QuickTime media player, which could be triggered with malicious image, audio, or video files.
According to the Apple support forum, some Lion users were reporting that their applications were crashing after they installed the security update.
Commenting on the Apple update, Paul Ducklin, head of technology for Sophos Asia Pacific, said, “If you're a Snow Leopard (OS X 10.6) user, you'll need the 200Mbyte Security Update 2012-001, which requires you to be at the latest point release of that version first….If you're using Lion (OS X 10.7), you get 700MBytes to 1.4Gbytes (depending on what sub-version of 10.7 you are currently using) of full-blown new point release, which takes you to 10.7.3. A reboot is required on both Snow Leopard and Lion.”