By Stewart Mitchell
Apple has released updates to OS X Lion and Safari to plug serious security holes.
The company said Safari 5.1.7 patches flaws that allow criminals to target users with cross-site scripting attacks and run malicious code or fill in forms without user interaction. It also disables old versions of Flash to prevent criminals from taking advantage of unpatched flaws in the add-on.
“This update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory,” Apple said. “Out-of-date versions of Adobe Flash Player do not include the latest security updates and will be disabled to help keep your Mac secure."
There are vulnerabilities leading to information leakage - up to and including raw passwords - escalation of privilege and remote code execution
"If Safari 5.1.7 detects an out-of-date version of Flash Player on your system, you will see a dialog informing you that Flash Player has been disabled. The dialog provides the option to go directly to Adobe's website, where you can download and install an updated version of Flash Player.”
The OS X Lion 10.7.4 update fixes 26 vulnerabilities.
According to experts, the updates should be installed as soon as possible, because they fix flaws that could lead to real threats, such as the security issues that have hit the company recently.
“This update patches numerous vulnerabilities, including issues at bronze, silver and gold medal levels of insecurity," said security analyst Paul Ducklin on the Sophos Naked Security blog.
“There are vulnerabilities leading to information leakage - up to and including raw passwords - escalation of privilege and remote code execution.”
“Notably, the 10.7.4 update fixes the recently-discovered FileVault flaw. Apple inadvertently shipped a version of FileVault - the software which encrypts your home folder - with a debugging option turned on.”
[Source : PC Pro]