Apple updates Yosemite and Safari

27. January 2015 Security 4

Today Apple released the second update to the latest OS X, 10.10.2.
While the detailed list of security fixes in this update has not yet been released we know from other sources that Apple fixed the Thunderstrike exploit, briefly mentioned in my last post, and three of the vulnerabilities reported by Google last week. Also resolved is an issue where Spotlight would load remote email contents even if Mail itself had this disabled. Some of the other fixes in this release address poor Wi-Fi performance, slow loading webpages, the ability to browse iCloud Drive in Time Machine and Safari stability and security improvements.

Separate Safari updates were released for 10.8 Mountain Lion and 10.9 Mavericks users. Both updates address stability and security. Mountain Lion users will see their version of Safari updated to 6.2.3 and Mavericks users to 7.1.3. Four WebKit issues were addressed in these updates. Safari 8.0.3 for Yosemite users is included in the OS X 10.10.2 update.

Also released was Security Update 2015-001 which “is recommended for all users and improves the security of OS X.” The update is available for 10.9.5 Mavericks users and is included in the OS X 10.10.2 update for Yosemite users. Issues addressed are AFP file sharing, bluetooth, network cache, CoreGraphics and other vulnerabilities. It’s quite a list which can be found here.

It is recommended to update your backups before installing these (or any) updates. In the case of a second OS X release I personally like to download and apply the combo update, this typically has resolved more of the ‘new OS’ bugs than simply running the single version update. At the time of writing the combo update and the above mentioned updates are not available for direct download. Keep an eye on the Apple downloads page where the combo update should pop up soon.

4 thoughts on “Apple updates Yosemite and Safari”

  • 1
    Timothy on January 30, 2015 Reply

    About the Thunderstrike fix. Your description makes it sound like Security Update 2015-001 contains the fix for 10.9.5. My reading of the Apple disclosure is that Thunderstrike is only patched for 10.10.2 when run on MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013).
    It sounds to me like Thundrstrike is still an issue on ~pre 2013 hardware even with 10.10.2 and that no Thunderstrike fix is included for any OS other then 10.10.2.

    “CPU Software

    Available for: OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013)

    Impact: A malicious Thunderbolt device may be able to affect firmware flashing

    Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.

    CVE-ID

    CVE-2014-4498 : Trammell Hudson of Two Sigma Investments”

    http://support.apple.com/en-us/HT204244

    • 2
      Jay on January 30, 2015 Reply

      You’re absolutely right, I have corrected it in the article. Good catch!

  • 3
    Timothy on January 30, 2015 Reply

    Any thoughts on Apple apparently leaving all but the most current hardware vulnerable to Thunderstrike…

    • 4
      Jay on January 30, 2015 Reply

      None at the moment. Apple won’t comment on security related issues either so we may never know their reasoning behind this. The 10.10.2 update includes a firmware updater, I’ve tried to open it and get more information but there isn’t any.

      Apple is known to care less about older hardware and software so this may also be another way for them to push newer Macs and Yosemite.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.