Tag Archives: Apple OS X

Apple Releases Security Updates October 2015

On Wednesday of last week Apple made available a large collection of security updates to resolve vulnerabilities across it’s product range:

=======================

  • Apple OS X Server 5.0.15: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later).
  • Apple Xcode 7.1: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later.
  • Mac EFI: For OS X Mavericks v10.9.5.
  • Apple iTunes: For Windows 7 and later (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).
  • OS X El Capitan 10.11.1 and Security Update 2015-007: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple Safari 9.0.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple watchOS v2.0.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes.
  • Apple iOS 9.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

=======================

Full details on all updates are available on Apple’s Security Updates page. If you wish to prioritize these updates I would suggest beginning with installing the updates for OS X, iOS, watchOS, Safari and OS X Server due to the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

OS X Server 5.0.15: Resolves 3 CVEs (defined) with potentially high severity (includes 2 CVEs in ISC BIND).

Apple Xcode 7.1: Addresses a Swift type conversion issues (1 CVE).

Mac EFI Security Update 2015-002: Addresses 1 potentially high severity CVE

Apple iTunes 12.3.1: Addresses 12 critical CVEs.

Apple OS X El Capitan 10.11.1 and Security Update 2015-007: Addresses 60 CVEs and includes fixes for apache_mod_php, CoreText, EFI, FontParser, Grand Central Dispatch, Graphics Drivers, OS X kernel, OpenGL and OpenSSH (among others).

Apple Safari 9.0.1: Addresses 9 critical CVEs in WebKit (the renderer of Safari).

Apple watchOS v2.0.1: Resolves 14 CVEs which includes fixes for Apple Pay, CoreGraphics, FontParser and Grand Central Dispatch (among others).

Apple iOS 9.1: Includes fixes for 49 CVEs; notable fixes of which are CoreGraphics, CoreText, FontParser, Grand Central Dispatch, Graphics Driver, iOS kernel, OpenGL and WebKit (among others).

If you use any of the above software, please install the appropriate updates as soon as possible.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates for iOS, OS X and Safari

Yesterday Apple made available a large collection of security updates for the following list of products:

  • Apple OS X El Capitan 10.11
  • Apple iOS 9.0.2: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple Safari 9: for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11

Full details on all updates are available on Apple’s Security Updates page. I would suggest prioritizing the installation of the updates for OS X and Safari due of the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

Apple OS X El Capitan 10.11: addresses 100 CVEs (defined)(and 3 issues not assigned CVEs at this time) includes fixes for Apache webserver, bash, CoreCrpyto, EFI, OS X Kernel, libc, libpthread, Apple Mail, OpenSSL, OpenSSH, terminal and Time Machine.

Apple Safari 9: Includes fixes for 45 CVEs (and 4 issues not assigned CVEs at this time) in Safari, WebKit (the renderer of Safari) and WebKit related components.

Apple iOS 9.0.2: Addresses an important CVE in relation to the ability to bypass the lock screen of iOS using Siri. More details are available in this Sophos blog post. That blog post also provides additional security hardening advice that you may wish to apply to your lock screen configuration.

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see this link from Apple for advice on backing up your Mac laptop/desktop especially since the OS upgrade is a significant one.

Further details of the features/improvements incorporated into OS X El Capitan are located here. The steps on upgrading are provided here which include checking if your Mac devices meet the requirements to install the new operating system.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Finally the update for OS X does not address a known bypass for Apple’s Gatekeeper security feature but as this article mentions, Apple is working on a fix for that issue.

Thank you.

Apple Releases Security Updates for OS X, OS X Server, Safari and iOS

Yesterday Apple made available a collection of security update for the following list of products:

—————-
Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X Server: OS X Yosemite (10.10.5 or later)
Apple iOS 8.4.1: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
—————-

As always full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I would suggest prioritizing the installation of the update for OS X since it resolves the largest number of CVEs (defined) and addresses a serious publically disclosed issue in a component known as the DYLD_PRINT_TO_FILE environment variable. This flaw is discussed further in this post and this post.

Noteworthy fixes included are as follows:

Apple Safari: Includes fixes for 26 CVEs in WebKit (the renderer of Safari) and WebKit related components (27 CVEs addressed in total).

OS X (10.10, 10.9 and 10.8): Includes fixes for Apache (the popular open source web server), Bluetooth security fixes, FontParser OS X kernel, libc, libpthread, OpenSSH, OpenSSL, PostreSQL, Python, QuickTime, sudo and tcpdump (135 CVEs addressed in total).

Apple iOS 8.4.1: Includes fixes for CoreText, FontParser, iOS kernel, libc, libpthread, Safari and 25 CVEs in WebKit (and WebKit related components)(71 CVEs addressed in total).

OS X Server: Addresses 1 CVE in ISC BIND (as discussed in a previous blog post).

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.