The update, a combination of security, stability and compatibility fixes, patched a total of 30 vulnerabilities in Mountain Lion. It was accompanied by security-only updates for 2011’s OS X 10.7, aka Lion, and 2009’s OS X 10.6, known as Snow Leopard. This was the first time since early June that Apple refreshed Mountain Lion.
Apple called out several non-security fixes inside 10.8.5, including ones that addressed a bug that blocked the bundled Mail email client from displaying messages, improved file transfer performance and reliability over Wi-Fi and Ethernet networks, and tweaked connections between Macs and Apple’s Xsan storage area network.
On the security side, 10.8.5 patched 30 vulnerabilities, including 7 labeled with the line “may lead to … arbitrary code execution,” which is Apple’s way of saying that they’re critical. The fixes quashed bugs in several open-source components integrated with Mountain Lion, such as Apache (4 patches); Bind (5), the most widely-used DNS (domain name system) software for routing Internet requests to the correct addresses; OpenSSL (3); and PHP (4), the server-side scripting language.
Also included in the update were patches to stymie attacks using rogue PDF documents, one to fix a problem with Macs coming out of sleep to a locked state, and another to plug a hole in QuickTime, Apple’s often-buggy media playing software.
One of the patches was for a several-months-old vulnerability in the Unix component known as “sudo,” which lets users gain super-user or “root” rights. By resetting the system clock, hackers who have already managed to grab limited control of a Mac can sidestep the need for the root-access password.
The sudo flaw had been identified in OS X in March, but attracted more attention two weeks ago after Metasploit, the popular open-source penetration toolkit, added a module that made it easy to exploit the bug.
Also published Thursday was an update to Safari 5, the Apple browser for Snow Leopard; the separate update patched a pair of vulnerabilities, including one revealed at the September 2012 Mobile Pwn2Own hacking contest by a Dutch team who used it to exploit iOS. Apple had patched the same bugs in the newer Safari 6 last year.