Apple released security update 2012-001 for Snow Leopard on Wednesday which corrected a number of vulnerabilities across several applications and file types, including:
- a risk of malicious fonts, images with ColorSync profiles, audio files, movies, documents, websites, compressed files, TIFF files, OpenGL, the libresolv library, PDF files, MP4, JPEG2000, PNG files terminating the application or executing code arbitrarily
- risk of remote servers being able to impersonate clients via GSSAPI requests
- attackers with privileged network positions being able to intercept sensitive information including user credentials
- a risk of decrypting data protected by SSL
- some EV certificates being trusted even through the corresponding root has been marked as untrusted
- multiple vulnerabilities in Apache
- multiple vulnerabilities in PHP and libpng
- multiple vulnerabilities in SquirrelMail including a cross-scripting issue
- the possible disclosure of sensitive information when accessing a Subversion repository
- multiple vulnerabilities in Tomcat
The patches included in the Snow Leopard update are also included in the OS X 10.7.3 update Apple released for Lion users today.
The update is available through Software Update and is a 202.3MB download. The standalone update is 192.73MB. Security Update 2012-001 is recommended for all Snow Leopard users and improves the security of Mac OS X.