It was a busy day for Apple. The following updates were released:
OS X 10.9.4
The OS X Mavericks 10.9.4 Update is recommended for all Mavericks users. It improves the stability, compatibility, and security of your Mac.
- Fixes an issue that prevented some Macs from automatically connecting to known Wi-Fi networks
- Fixes issue causing the background or Apple logo to appear incorrectly on startup
- Improves the reliability of waking from sleep
- Includes Safari 7.0.5
The update also contained some security patches which Apple believes, as usual, are not worth mentioning in the release notes. 19 security related issues were resolved and some of them, in my opinion, were quite nasty. Opening a maliciously crafted zip file could lead to arbitrary code execution (copyfile), remote attackers could gain access to another user’s session (curl), An attacker with access to a system may be able to recover
Apple ID credentials (iBooks Commerce) and A malicious application may be able to execute arbitrary code with system privileges (launchd). Also a not so minor issue with Secure Transport that allowed two bytes of memory could be disclosed to a remote attacker. Two bytes is not much but a few bytes disclosed to the wrong person can do a whole lot of damage, just think back to the Heartbleed fiasco. There is more to this list and if you want to read it you can find it here (this URL usually takes a while to be updated by Apple).
Safari 6.1.5 and 7.0.5
12 security issues were patched in Safari, all WebKit related. From memory corruptions that could be exploited to malicious websites being able to access local files on your Mac. The full list can be found here.
Apple also released updates for iOS 7. The update, 7.1.2, is available for iPhone 4 and later and squashed some nasty bugs too. All together 44 security related issues were addressed including fun stuff like someone being able to bypass Activation Lock or exceed the maximum number of failed passcode attempts. Someone could also gain access to the application that was open before the phone was locked. Mail attachments were not encrypted so they could be extracted and Find My iPhone could be disabled without an iCloud password. The full list can be found here.
An Apple TV update, 6.1.2, was also released containing security patches.
Last but certainly not least, Apple finally enabled two factor authentication for iCloud accounts. Something that was enabled for Apple ID’s in March 2013. This applies to iCloud.com and the web apps in it. Once enabled, attempting to access iCloud.com contents will require you to enter an additional code that is sent to a trusted device. To enable the feature, sign in with your iCloud ID on the Apple ID website. Once signed in go to “Password and Security” where you enable two-step verification.
I highly recommend you install all available updates mentioned and enable two factor (or two-step as Apple likes to call it) authentication sooner rather than later as well. Of course use common sense and back up all important data before applying updates. I have not had any issues but better safe than sorry 🙂
To get your hands on these updates use Apple menu > Software Update, Open the App Store and click the Updates tab or search for them on the Apple Downloads page. On your iDevices open Settings > General > Software Updates.