Apple issues large patch set to shore up OS X, iOS security

iTnews (AUS) ^ | Jul 1, 2015 6:02 P (AUS) | Juha Saarinen

[Utilizer]

Apple has quietly included a large amount of security fixes in its latest set of patches for its OS X and iOS operating systems, plugging some serious, high-profile vulnerabilities in its code.

A tally of the common vulnerability and exposures (CVE) tags in the OS X Yosemite 10.10.4, Security Update 2015-005 and Safari 8.0.7 update packages showed 80 vulnerabilities have been patched by Apple.

These range from a flaw that allowed attackers to write to the low-level extensible firmware interface (EFI) - which manages the hardware in Mac computers - when the systems resume from sleep. The EFI zero-day was discovered by Pedro Vilaça in May this year.

Apple also fixed the Rowhammer RAM disturbance issue in EFI. This could be used by attackers to induce memory corruption, in order to gain privilege escalation.

[Utilizer]

Security is becoming a major problem all over, it seems.

[South40]

Still safer than PC.

[RayChuang88]

After the Sasser malware attack from 12 years ago, that's why Microsoft instituted the Patch Tuesday process, where security updates for Windows are available every first Tuesday of every month, plus additional updates on an out-of-cycle basis if the security issue is really serious.

[Utilizer]

PC? What does being Politically Correct have to do with anything? You want top-grade security, then you should graduate to a ‘nix or BSD environment.

Political Opinions have nothing to do with it.

[Utilizer]

Good to know. I just recently had to update My linux security patches so the fact that the apple crowd now has a security issue notice should encourage them to update as well.

[Utilizer]

Ping. Might be of interest to you, mate.

[minnesota_bound]

shore up OS X, iOS security
This never happens with Windows....

[Swordmaker]

I am not sure why anyone thought this was newsworthy, since Apple ALWAYS includes security updates in OS X and iOS version updates—it's "Standard Operating Procedure"—but someone wrote an article as though this was a big surprise that Apple did security updates in the last round of Operating System updates fixing vulnerabilities in the systems. No surprises here—just check every single update Apple has ever done. This is literally a non-news article. . . Dog bites Man. — PING!

Apple OS X and iOS Security update are business as normal
Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

I would not characterize it as a “patch” either, since this is a rewrite of much of the OS, going from OS X.10.3 to OS X.10.4. Those are major upgrades in the Mac world. . . Security “patches” are pushed out silently in the background, of as “security patches”, not as point level upgrades, which include new functionality as well as other improvements, bug fixes, etc.

[Utilizer]

Right, well, the author of this article seemed to think it newsworthy because of the severity of the security patches provided on this one this time about, so it seemed worthy of noting at least. Thanks for the feedback.

Cheers.

[House Atreides]

Still safer than PC.
********************************************
Tru dat! In this summary of “vulnerability patches” I see the words “could be used” (in regard to how the vulnerability “could be” used to do harm) over and over again. It would appear from the way that this was written that most of these vulnerabilities were hypothetical and hadn’t actually created harm in the wild.

Regardless, Props to Apple for fixing the potential problems and props to the dedicated developers who meticulously searched them out and reported them. I guess most of the developers looking for, finding and reporting such vulnerabilities are “unsung heroes”...so all the more do they deserve our respect and appreciation.

[Swordmaker]

Right, well, the author of this article seemed to think it newsworthy because of the severity of the security patches provided on this one this time about, so it seemed worthy of noting at least. Thanks for the feedback.

They are no more severe than other vulnerabilities that were fixed in the past. None of these rose to the level of being actually exploited in the wild. . . and most required physical possession of the machine to exploit. The vast majority of the fixes are minor. Some of them, such as the RowHammer vulnerability affected Linux, Windows, and OS X. . . but it was an extremely hard vulnerability to exploit. It just needed to be fixed. The article postulated that someone "could use" Rowhammer to escalate privileges. No, it could not, because it takes a lot more than just flipping a few memory locations to do that. Just disrupting some RAM will not accomplish that. Still, as i said, it needed to be fixed. Apple found a way to avoid even the possibility of attack.

Logjam is a problem with SSL layers at all levels of the Internet. . . and essentially this is a systemic problem that requires more than just a solution at the OS level. Apple has done what it can. Now servers and IPS operators have to do theirs.

These are all in the sense of closing the vulnerabilities before the exploits exist. This is a proactive approach to security.

[Swordmaker]

Right, well, the author of this article seemed to think it newsworthy because of the severity of the security patches provided on this one this time about, so it seemed worthy of noting at least. Thanks for the feedback.

Incidentally, Apple includes in their updates to OS X and iOS security update fixes for all the components of UNIX™ that are shipped with OS X, plus fixes for additional software that ships with Apple software. That tends to inflate the number of CVEs that are reported in the updates.

Cheers, right back to you, too. Enjoy the holiday week. . .