For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see About the security content of Safari 6.0.3.

OS X Mountain Lion v10.8.3 and Security Update 2013-001

• Apache

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials

  Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences.

  CVE-ID

  CVE-2013-0966 : Clint Ruoho of Laconic Security

• CoreTypes

  Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled

  Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.

  CVE-ID

  CVE-2013-0967

• International Components for Unicode

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack

  Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table.

  CVE-ID

  CVE-2011-3058 : Masato Kinugawa

• Identity Services

  Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed

  Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string.

  CVE-ID

  CVE-2013-0963

• ImageIO

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution

  Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images.

  CVE-ID

  CVE-2012-2088

• IOAcceleratorFamily

  Available for: OS X Mountain Lion v10.8 to v10.8.2

  Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution

  Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking.

  CVE-ID

  CVE-2013-0976 : an anonymous researcher

• Kernel

  Available for: OS X Mountain Lion v10.8 to v10.8.2

  Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel

  Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them.

  CVE-ID

  CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers

• Login Window

  Available for: OS X Mountain Lion v10.8 to v10.8.2

  Impact: An attacker with keyboard access may modify the system configuration

  Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window.

  CVE-ID

  CVE-2013-0969 : Eric A. Schulman of Purpletree Labs

• Messages

  Available for: OS X Mountain Lion v10.8 to v10.8.2

  Impact: Clicking a link from Messages may initiate a FaceTime call without prompting

  Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs.

  CVE-ID

  CVE-2013-0970 : Aaron Sigel of vtty.com

• Messages Server

  Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5

  Impact: A remote attacker may reroute federated Jabber messages

  Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages.

  CVE-ID

  CVE-2012-3525

• PDFKit

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

  Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management.

  CVE-ID

  CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative

• Podcast Producer Server

  Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5

  Impact: A remote attacker may be able to cause arbitrary code execution

  Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server.

  CVE-ID

  CVE-2013-0156

• Podcast Producer Server

  Available for: OS X Lion Server v10.7 to v10.7.5

  Impact: A remote attacker may be able to cause arbitrary code execution

  Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server.

  CVE-ID

  CVE-2013-0333

• PostgreSQL

  Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5

  Impact: Multiple vulnerabilities in PostgreSQL

  Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html

  CVE-ID

  CVE-2012-3488

  CVE-2012-3489

• Profile Manager

  Available for: OS X Lion Server v10.7 to v10.7.5

  Impact: A remote attacker may be able to cause arbitrary code execution

  Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager.

  CVE-ID

  CVE-2013-0156

• QuickTime

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

  Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking.

  CVE-ID

  CVE-2012-3756 : Kevin Szkudlapski of QuarksLab

• Ruby

  Available for: Mac OS X Server 10.6.8

  Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running

  Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails.

  CVE-ID

  CVE-2013-0156

• Security

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

  Description: Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates.

• Software Update

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5

  Impact: An attacker with a privileged network position may be able to cause arbitrary code execution

  Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue does not affect OS X Mountain Lion systems. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView.

  CVE-ID

  CVE-2013-0973 : Emilio Escobar

• Wiki Server

  Available for: OS X Lion Server v10.7 to v10.7.5

  Impact: A remote attacker may be able to cause arbitrary code execution

  Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server.

  CVE-ID

  CVE-2013-0156

• Wiki Server

  Available for: OS X Lion Server v10.7 to v10.7.5

  Impact: A remote attacker may be able to cause arbitrary code execution

  Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server.

  CVE-ID

  CVE-2013-0333

• Malware removal

  Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

  Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.

General installation questions 

What is Boot Camp 5?
Boot Camp 5 is not a release of OS X software. Rather, it is a release of the Windows Support Software (drivers). You will need to use this software on your Mac with Windows 8 or Windows 7. For more information on Boot Camp 5, see this article.

Which Macs support Windows 8?

• MacBook Air (Mid 2011 or newer)
• MacBook Pro (Mid 2010 or newer)
• Mac Pro (Early 2009 or newer)
• Mac Mini (Mid 2011 or newer)
• iMac (27-inch, Mid 2010 or Mid 2011 or newer)

For more information, see this article.

What are the System Requirements for Windows 8?
Please see this article.

How can I install Windows 8 on an eligible computer?
Use the Boot Camp Assistant. The assistant will partition your internal hard drives and install Windows 8. For more information on Windows 8 installation, see the Boot Camp Installation & Setup Guide.

Can I use an upgrade from Windows 7 to Windows 8?
Yes. Download and install the Boot Camp 5 Support Software before attemping the upgrade by using the Boot Camp Assistant in OS X Mountain Lion v10.8.3. Alternatively, you can manually download the Boot Camp 5 Windows Support Software here.

When I do an upgrade install from Windows 7 to Windows 8, an "Uninstall USB 3.0 eXtensible Host Controller Driver" message appears. What do I do?
Do not click on Uninstall. Click the back button and Cancel the upgrade. Download the Boot Camp 5 Support Software by using the Boot Camp Assistant in OS X Mountain Lion v10.8.3, or click here to download them. Then, try the upgrade again. See this article for more information. 

After upgrading from Windows 7 to Windows 8, Thunderbolt devices are being recognized when I connect in. How do I fix this?
Disable the Windows 8 Fast Boot feature to allow Thunderbolt devices to be recognized. See Boot Camp: Thunderbolt devices not recognized after Windows 8 upgrade for instructions.

Is there an OS X version requirement to use the Boot Camp Assistant to download Boot Camp 5 Support Software?
You need OS X Mountain Lion v10.8.3 or later installed to download the Boot Camp 5 Support Software (Windows drivers) using the Boot Camp Assistant. After upgrading, click the Go menu and choose Utilities. Then, open Boot Camp Assistant and follow the onscreen instructions. You can download the Boot Camp Installation & Setup Guide.

Is there a download of the Boot Camp 5 Support Software if I'm not using OS X Mountain Lion v10.8.3?
Yes, you can download the Boot Camp 5 Support Software here.

How do I use the Boot Camp 5 Support Software I downloaded from the web page?

1. The download file is a .zip file. Double click it to uncompress it.
2. Double-click the Boot Camp disk image.
3. Copy the Boot Camp and "$WinPEDriver$" folders to the root level of a USB flash drive or hard drive that is formatted with the FAT file system (see question below for steps on how to format). 
4. Install Windows, leaving the flash or hard drive attached to the USB port of your Mac.
5. Installation of the drivers can take a few minutes. Don't interrupt the installation process. A completion dialog box will appear when everything is installed. Click Finish when the dialog appears.
6. When your system restarts your Windows 8 installation is done.

Note: If the flash drive or hard drive was not attached when you installed Windows and was inserted after restarting into Windows 8, double-click the Boot Camp folder, then locate and double click the "setup.exe" file to start the installation of the Boot Camp 5 Support Software.

How do I format USB media to the FAT file system?
Use Disk Utility to format a disk to use with a Windows computer. Here's how:

Important: Formatting a disk erases all the files on it. Copy any files you want to save to another disk before formatting the disk.

1. Open Disk Utility.
2. Select the disk you want to format for use with Windows computers.
3. Click Erase, and choose one of the following from the Format pop-up menu:
   
   • If the size of the disk is 32 GB or less, choose MS-DOS (FAT).
   • If the size of the disk is over 32 GB, choose ExFAT.
4. Type a name for the disk. The maximum length is 11 characters.
5. Click the Erase button and then click Erase again.

Which versions of Windows are supported with Boot Camp 5?
64-bit versions of Windows 8 and Windows 7 are supported using the Boot Camp 5 Support Software. If you need to use a 32-bit version, you need to use Boot Camp 4 Support Software, and you must use Windows 7. 32-bit versions of Windows 8 are not supported via Boot Camp. For a complete list of Windows OS support, click here.

Model-specific Questions

I receive a "Free up space on Drive C" message when I try to do an upgrade install from Windows 7 to Windows 8 on my MacBook Air (11-inch, Mid 2012).  Why am I seeing this?
There is not enough free space available to do an upgrade install with the 64 GB SSD configuration. Delete the Boot Camp partition and do a full install instead. See this article for more information.

I see a black screen or distortion when I install Windows 8 on a MacBook Pro (Retina, 13-inch, Late 2012). How do I fix this?
The Windows 8 installer does not contain the correct graphics driver for your computer. You'll need to attach the USB media that contains the Boot Camp drivers during installation to address this issue. See this article for more information.

The volume controls keys (F1 and F2) won't work on my iMac (Mid 2011). How do I control the volume?
Use the Settings Charm to control screen brightness. See this article.

My MacBook Air (Mid 2012) will not start Windows 8, or displays VGA graphics when it stats up. How can I fix this?
Your MacBook Air (Mid 2012) needs an EFI Firmware update to address this issue. Download and install the MacBook Air EFI Firmware Update 2.6.

I see a "Windows 8 is not supported on this Mac" message on my Mac. Can my Mac run Windows 8?
For a complete list of Mac computers and the Windows operating systems they support, click here.
 

All Windows installations require the following

• An administrator account in OS X to configure Boot Camp Assistant.
• Internet access.
• USB keyboard and mouse, or a built-in keyboard and trackpad. You should use the keyboard and mouse that shipped with your Mac or a built-in trackpad.
• 8 GB USB storage device, or external drive formatted as MS-DOS (FAT) to install the downloaded drivers.

  Note: To learn how to obtain and build the Apple Boot Camp Drivers installation media needed to install Windows for Apple hardware, see this article. To format an external drive as MS-DOS (FAT), use Disk Utility in OS X.
   

• Recommend minimum of 2 GB of RAM, 20 GB of free space on the disk that you’re installing Windows on for the first time, or 40 GB if you are upgrading from a previous Windows Version.
• Authentic Microsoft Windows full install disc or ISO file.
• Be sure to install all required firmware updates for your computer.

Supported versions of Windows (Authentic, single, full-installation)

• Windows XP: Home Edition or Professional with Service Pack 2 or Service Pack 3 (Boot Camp 4 only).
• Windows Vista: Home Basic, Home Premium, Business, or Ultimate, Service Pack 1 or later (Boot Camp 4 only).
• Windows 7: Home Premium, Professional, or Ultimate (Boot Camp 4 or 5).
• Windows 8: Windows 8, Windows 8 Pro (Boot Camp 5 only).

Note: See the tables below to determine which versions of Windows are supported on your Mac model.

Microsoft Windows system requirements

• For Windows XP: http://support.microsoft.com/kb/314865
• For Windows Vista: http://support.microsoft.com/kb/919183
• For Windows 7: http://windows.microsoft.com/systemrequirements
• For Windows 8: http://windows.microsoft.com/en-US/windows-8/system-requirements

Boot Camp requirements by Mac model

Select your type of Mac computer from the list below to learn which version of Boot Camp and Windows are supported by your Mac. If you don't know which Mac model you have, follow the steps at the end of this article.

Note: "4" or "5" in the tables indicates the version of Boot Camp that is supported on your Mac. The version of Boot Camp determines which version of Windows will run on your Mac.

MacBook Pro

MacBook Air

MacBook

iMac

Mac mini

Mac Pro

How to find which Mac model you have

If you don't know which Mac you have, use the following steps to find out:

1. From the Apple () menu, choose About This Mac.
2. Click "More Info". You will see the Mac model listed in the top-right portion of the window.

Downloading Boot Camp drivers

After learning which version of Boot Camp will run your version of Windows on your Mac, you can get the required version of Boot Camp these ways:

• Use the Boot Camp Assistant to download Boot Camp 5 (only available on OS X Mountain Lion v10.8.3 and later). Boot Camp 4 is available via Boot Camp Assistant for earlier versions of OS X (OS X Mountain Lion v10.8.2 and earlier).
  
• Manually download Boot Camp 4 or Boot Camp 5 here.