Apple releases major security update for OS X

Mac OS X 10.7 Lion's Launchpad application viewer. (Apple)

Apple has rolled out a big batch of security fixes for several of its popular software products and components, including the Mac OS X 10.7 Lion operating system.

In an advisory, Apple announced it addressed the bugs, many of which could be exploited to grant an attacker privileged remote access to infected machines, and included the patches in the new OS X Lion version 10.7.3.

Other products fixed include QuickTime, SquirrelMail, Webmail, PHP, Internet Sharing, ColorSync, CoreText and X11.

One of the most notable and serious flaws Apple addressed exists in unpatched versions of Apache. The vulnerability could allow a hacker to decrypt Secure Sockets Layer (SSL) encrypted Web sessions. The glitch, as Dennis Fisher from the security firm Kaspersky Lab explained, was exploited last year by a proof-of-concept tool called BEAST.

Online retailers and other companies that sell products online — Google, Amazon, eBay and Bank of America, just to list a few — use SSL certificates to verify their identities to Web browsers. If someone compromised an SSL certificate, that person could effectively "spoof" legitimate companies' websites and harvest hoards of personal information from customers who believed they were on a legitimate site.

In its massive security upgrade, Apple also revoked trust in security certificates issued by Digicert, a Malaysian certificate authority that last year was found issuing certificates with weak cryptographic keys, Fisher said. A malicious actor could intercept a victim's credentials and other potentially sensitive information on sites with certificates issued by Digicert.

Update: There have been reports that this security update adversely affects the performance of older PowerPC-based applications in Mac OS X 10.6 Snow Leopard. Users of those apps may want to postpone this update until more is known.