Knowledge base

One Moment Please

Thanks for your feedback.

64% of people found this helpful.

Additional Product Support Information

About the security content of AirPort Base Station Firmware Update 7.6.4

Sep 06 2013 Posted in Apple Mac OS

This document describes the security content of AirPort Base Station Firmware Update 7.6.4.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

AirPort Base Station Firmware Update 7.6.4

Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule

Impact: An associated client can crash the base station

Description: An issue existed in the parsing of small frames with incorrect lengths. This issue was addressed by adding size checking to the parsing of small frames.

CVE-ID

CVE-2013-5132 : Joonas Kuorilehto of Codenomicon

Installation note for Firmware version 7.6.4

Firmware version 7.6.4 is installed into Time Capsule or AirPort Base Station with 802.11n via AirPort Utility, provided with the device.

It is recommended that AirPort Utility 6.3.1 be installed before upgrading to Firmware version 7.6.4 on OS X systems, and AirPort Utility 1.3.1 for iOS devices.

AirPort Utility may be obtained through Apple's Software Download site: http://www.apple.com/support/downloads/

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Last Modified: Sep 6, 2013

Helpful?

One Moment Please

Thanks for your feedback.

0% of people found this helpful.

Additional Product Support Information

Java updates available for OS X on August 28, 2013

Aug 28 2013 Posted in Apple Mac OS

Java updates are available that address a recently identified Java web plug-in vulnerability.

Click here if you're running OS X Lion v10.7.5 or OS X Mountain Lion v10.8.3, or later

Use one of these methods:

For a new installation of Java 7:
1. Download the latest Java 7 version from www.java.com/download/mac_download.jsp.
2. Open the downloaded disk image.
3. Open the installer within and follow the onscreen instructions.

If Java 7 is already installed:
1. Choose Apple menu () > System Preferences….
2. Choose View > Java to open the Java Control Panel app.
3. Click the Update tab.
4. Click Update Now button and follow the onscreen instructions.

Click here for if you're running Mac OS X v10.6.8

Open Software Update and install all available updates. Additional updates may become available after installation.

Additional Information

To help limit exposure to potential Java web app vulnerabilities, try to follow this best practice:

Enable Java in your web browser only when you need to run a Java web app.
Confine your web browser only to the websites that need the Java web app. Do not open any other websites while the Java web plug-in is enabled.
When you are done, disable the Java web plug-in. See How to disable the Java web plug-in in Safari.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Last Modified: Aug 29, 2013

Helpful?

One Moment Please

Thanks for your feedback.

56% of people found this helpful.

Additional Product Support Information

OS X: Java Web plug-in blocked 28 August 2013

Aug 28 2013 Posted in Apple Mac OS

Apple has updated the Safari web plug-in-blocking mechanism to disable the web plug-in for Java.

To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Java

See this article for details.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.

Last Modified: Aug 29, 2013

Helpful?

One Moment Please

Thanks for your feedback.

55% of people found this helpful.

Additional Product Support Information

Messages: Reporting unwanted messages sent from iMessage

Jul 30 2013 Posted in Apple Mac OS

If you're seeing unwanted iMessages (spam) in Messages app, you can report those to Apple.

To report unwanted iMessage messages to Apple, please send an email with the following details to: imessage.spam@icloud.com

Include a screenshot of the message you have received.
Include the full email address or phone number you received the unwanted message from.
Include the date and time that you received the message.

To take a screenshot:

To take a screenshot on your iOS device, press and release the Sleep/Wake button and the Home button at the same time. The screenshot is added to your Camera Roll album.
To take a screenshot in OS X, simultaneously press the Command + Shift and the number 3 key on your keyboard. The screenshot is saved to your Desktop folder.
To learn more about taking screenshots in OS X, see article HT5775.

Additional Information

Note: Report unwanted ("spam") SMS and MMS type messages to your cellular provider. Contact your carrier for additional details.

Look in the Messages conversation thread to determine if a message was sent via iMessage. Messages sent via iMessage are labeled as "iMessage" above the message in the text field. SMS and MMS type messages read "Text Message" instead.


iMessage in iOS	SMS or MMS text message in iOS

iMessage in OS X

FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).

OS X product security: Certifications and validations

Jul 17 2013 Posted in Apple Mac OS

Click a topic for more information:

Volatility Statements

Government organizations and their supporting contractors who are required to provide a Volatility Statement from the product manufacturer can obtain one by sending an email request to AppleFederal@apple.com and providing the Requesting Government Agency, Apple Product Name, Product Serial Number, and Government Technical Contact for the request.

Common Criteria Certification

Common Criteria, an internationally approved set of security standards, provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.

Through a Common Criteria Recognition Arrangement (CCRA), twenty-six member countries have agreed to recognize the certification of Information Technology products with the same level of confidence.

	OS X Mountain Lion v10.8	OS X Lion v10.7
Configuration & Administration Guide	Admin Guide v2.1	Admin Guide v2.1
About Common Criteria Audit Tools	1	1
Audit Tools Download	1	1
Whitepaper	2	2
Test Cases	2	2
Security Target	2	2
Validation Report	2	2
Validation Certificate	2	2
Conformance Claims	2	2

Command line interface (CLI) Security Audit Tools are built-in to Mac OS X v10.6 and later. See the Admin Guide.
This Mac OS X version was not submitted for Common Criteria Certification.

FIPS 140 Conformance Validation

The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment of the Government of Canada (CSEC).

Cryptographic Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information.

The CMVP web portal contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-1 and FIPS 140-2 validated cryptographic modules.

Cryptographic Module Validations

All Apple FIPS 140-2 Conformance Validation Certificates can be found on the CMVP Vendor page http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.

OS X Mountain Lion v10.8

Certificate #1964 – Apple OS X CoreCrypto Module v3.0
- http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1964
Security Policy – http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1964.pdf

Certificate #1956 – Apple OS X CoreCrypto Kernel Module v3.0
- http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1956
Security Policy – http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1956.pdf

About Security Update 2013-003

Jul 02 2013 Posted in Apple Mac OS

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

Security Update 2013-003

QuickTime

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.4

Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in the handling of Sorenson encoded movie files. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative

QuickTime

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.4

Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in the handling of H.264 encoded movie files. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2013-1018 : G. Geshev working with HP's Zero Day Initiative

QuickTime

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.4

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer underflow existed in the handling of 'mvhd' atoms. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2013-1022 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative

OS X: Taking pictures of your screen

Jul 01 2013 Posted in Apple Mac OS

Pictures of the screen (screen shots) are saved as files on the desktop. You can view the pictures with Preview or other image editing apps.

Take a picture of your entire screen

Press Command (⌘)-Shift-3. The screen shot is added to your desktop.

Take a picture of some of your screen

Press Command (⌘)-Shift-4, and then drag the crosshair pointer to select the area. Hold Shift, Option, or the Space bar while you drag to resize the selection area. To cancel, press Escape (esc) before you release the mouse button.

Take a picture of a specific window

Press Command (⌘)-Shift-4, press the Space bar, move the camera pointer over the window to highlight it, and then click.

This works with open Finder windows and most application windows.

To cancel, press Escape (esc) before you click.

Take a picture of a menu

Click the menu to reveal its contents, then press Command (⌘)-Shift-4 and drag the crosshair pointer over the area.

To take a picture of the menu without the title, hover over the menu, press Command (⌘)-Shift-4 and the Space bar.

To cancel, press Escape (esc) before you click.

iOS 6: Apple FIPS iOS Cryptographic Modules v3.0

Jun 28 2013 Posted in Apple Mac OS

The iOS Cryptographic Modules, Apple iOS CoreCrypto Module v3.0, and Apple iOS CoreCrypto Kernel Module v3.0, require no setup or configuration to be in “FIPS Mode” for FIPS 140-2 compliance on devices running iOS 6.

For complete instructions about proper use of the modules, refer to the Crypto Officer Role Guide for FIPS 140-2 Compliance iOS 6.

What to do before selling or giving away your Mac

Jun 27 2013 Posted in Apple Mac OS

The following article describes how to back up and remove your data from your Mac before selling it or giving it away. Perform the steps in the order shown below.

Important: Do not manually delete contacts, calendars, reminders, documents, photo streams, or any other iCloud data while signed in to your iCloud account. Doing so will not only delete that information from your Mac, but will also delete it from the iCloud servers and any other devices you also sync with iCloud. Instead, follow the steps below to remove your iCloud account from your Mac and leave your iCloud data intact on your other devices.

Deauthorize your computer from iTunes (if applicable).
Back up your data.
If enabled, turn off Find My Mac and sign out of iCloud. To turn off the iCloud service on your Mac:
- Choose System Preferences > iCloud.
- Deselect Find My Mac to disconnect your devices from iCloud.
- Click the Sign Out button on the left side.
- The system automatically removes iCloud data from your Mac.
Reformat your hard drive with Disk Utility to erase all stored data and then reinstall OS X on your computer. For instructions specific to your operating system, select the appropriate article below:
- OS X Mountain Lion
- OS X Lion

Optional: If you want to return your Mac to its original "out-of-the-box" state, so the new owner can set up the computer with the Mac OS X Setup Assistant, follow these steps:

After you reformat your hard drive and reinstall OS X, the Setup Assistant automatically starts and displays the Welcome screen that prompts you to choose your country or region. Do not continue with the setup of your system.
Press Command-Q to shut down your Mac.

Your Mac is now ready for its new owner. When the Mac is turned on for the first time, the Setup Assistant will guide the new owner through the setup process.