Tag Archives: Mac EFI

Apple Releases Security Updates December 2015

On the 8th and 11th of December Apple released numerous security updates for the following products:

=======================

  • Apple iOS 9.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple tvOS 9.1: For Apple TV (4th generation)
  • Apple OS X: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 (2 updates), OS X El Capitan v10.11 and v10.11.1
  • Apple watchOS v2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple Safari 9.0.2: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • Apple Xcode 7.2: For OS X Yosemite v10.10.5 or later
  • Apple iTunes 12.3.2: For Windows 7 and later

=======================

Comprehensive details of all of these updates are provided on Apple’s Security Updates page.

If you wish to prioritize these updates I would suggest beginning with installing the updates for iOS, OS X, watchOS and tvOS as well as Safari due to the number and severity of the issues they address (the most serious resulting in an attacker having the ability to run code of their choice (remote code execution) with kernel or system level privileges).

Noteworthy fixes included are as follows:

Apple iOS 9.2: Resolves 51 CVEs (defined) and includes fixes for AppleMobileFileIntegrity, CoreGraphics, GPUTools Framework, ImageIO, iOS Kernel, libc, MobileStorageMounter, iOS Safari and WebKit (among others)

Apple OS X and Security Update 2015-006 Yosemite: Resolves 55 CVEs which includes fixes for apache_mod_php, AppSandbox, Bluetooth, , CoreGraphics, CoreMedia Playback, EFI, Intel Graphics Driver, OS X kernel, libc, OpenGL, OpenSSH and System Integrity Protection (among others).

Apple tvOS 9.1: Resolves 45 CVEs including security issues within AppleMobileFileIntegrity, CoreGraphics, CoreMedia Playback, ImageIO, tvOS kernel, libc, MobileStorageMounter, OpenGL and WebKit (among others).

Apple watchOS 2.1: Resolves 30 CVEs within components such as AppSandbox, CoreGraphics, CoreMedia Playback, FontParser, GasGauge, ImageIO, watchOS kernel, libc, OpenGL and Sandbox (among others).

Apple Safari 9.0.2: Resolves 12 CVEs all within WebKit (the renderer of Safari).

Apple Xcode 7.2: Resolves 4 CVEs. The most serious of which were present within the otools component of Xcode.

Apple iTunes 12.3.2: Resolves 12 CVEs: all within WebKit. This updates applies to the Windows version of iTunes only.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates October 2015

On Wednesday of last week Apple made available a large collection of security updates to resolve vulnerabilities across it’s product range:

=======================

  • Apple OS X Server 5.0.15: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later).
  • Apple Xcode 7.1: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later.
  • Mac EFI: For OS X Mavericks v10.9.5.
  • Apple iTunes: For Windows 7 and later (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).
  • OS X El Capitan 10.11.1 and Security Update 2015-007: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple Safari 9.0.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple watchOS v2.0.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes.
  • Apple iOS 9.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

=======================

Full details on all updates are available on Apple’s Security Updates page. If you wish to prioritize these updates I would suggest beginning with installing the updates for OS X, iOS, watchOS, Safari and OS X Server due to the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

OS X Server 5.0.15: Resolves 3 CVEs (defined) with potentially high severity (includes 2 CVEs in ISC BIND).

Apple Xcode 7.1: Addresses a Swift type conversion issues (1 CVE).

Mac EFI Security Update 2015-002: Addresses 1 potentially high severity CVE

Apple iTunes 12.3.1: Addresses 12 critical CVEs.

Apple OS X El Capitan 10.11.1 and Security Update 2015-007: Addresses 60 CVEs and includes fixes for apache_mod_php, CoreText, EFI, FontParser, Grand Central Dispatch, Graphics Drivers, OS X kernel, OpenGL and OpenSSH (among others).

Apple Safari 9.0.1: Addresses 9 critical CVEs in WebKit (the renderer of Safari).

Apple watchOS v2.0.1: Resolves 14 CVEs which includes fixes for Apple Pay, CoreGraphics, FontParser and Grand Central Dispatch (among others).

Apple iOS 9.1: Includes fixes for 49 CVEs; notable fixes of which are CoreGraphics, CoreText, FontParser, Grand Central Dispatch, Graphics Driver, iOS kernel, OpenGL and WebKit (among others).

If you use any of the above software, please install the appropriate updates as soon as possible.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates

On Tuesday of this week, Apple made available a large collection of security updates for the following products:

  • Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
  • Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
  • Apple iOS 8.4: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • EFI Updates: for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 based systems
  • Apple QuickTme: for Windows
  • Apple iTunes: for Windows (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).

Full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I believe that the OS X update has the highest priority since it resolves the largest number of CVEs.

Noteworthy fixes included are as follows:

  • Apple Safari: Addresses 1 critical SQL input validation flaw (as well as 3 other CVEs).
  • OS X (10.10, 10.9 and 10.8): includes fixes for 52 critical remote code execution CVEs as well as fixes for Apache, Certificate Trust Policy, CoreTLS (to address the Logjam flaw), EFI flash memory, display drivers (for non-Intel and Intel drivers), the OS X kernel, NTP, OpenSSL, QuickTime and SQLite (77 CVEs in total, not all flaws fixed were assigned CVE numbers).
  • Apple iOS 8.4: includes fixes for CoreTLS (to address the Logjam flaw), the iOS kernel and several fixes for Safari and the WebKit library (33 CVEs in total, not all flaws fixed were assigned CVE numbers).
  • Mac EFI Security Update 2015-001: Addresses 2 privilege escalations CVEs.
  • Apple iTunes 12.2 for Windows: Addresses 39 CVEs.
  • Apple QuickTime 7.7.7 for Windows: Addresses 9 CVEs.

Excellent explanations of the issues resolved by these updates are available for both OS X and iOS.

For an explanation of the term CVE, please see the first short aside within this blog post.

If you use any of the above software, please install the appropriate updates as soon as possible (if you have not already done so). As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues. This is especially important for the Mac EFI update mentioned above since if an issue occurs during the update, your computer may no longer start up correctly when turned on.

Thank you.