Apple releases updates for OS X and iOS
While you’re reading this, have your Time Machine or other backup running.
Today Apple released software updates for OS X and iOS. The update for iOS is 8.4 and it’s main purpose is the introduction of iTunes Music but as always some security related issues were addressed as well. A total of 35 security issues were fixed making this more than just a music service update. Back up your iOS devices to iCloud or iTunes and install the update when you can. Read the installer for all the details on what the update has to offer.
For OS X users we got a new version of Safari. Available for users of OS X 10.8.5, 10.9.5 and 10.10.3. While only 4 WebKit issues were addressed, they are not insignificant:
• A maliciously crafted website can access the WebSQL databases of other websites.
• Visiting a maliciously crafted website may lead to account account takeover.
• Clicking a maliciously crafted link in a PDF embedded in a webpage may lead to cookie theft or user information leakage.
• Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution.
By installing this update, Mountain Lion users will get Safari 6.2.7, Mavericks users will get Safari 7.1.7 and Yosemite users will get Safari 8.0.7. It is recommended to install this update soon, specially if Safari is your primary browser.
Also released today was OS X Yosemite 10.10.4. Fixing a whopping 79 security issues it is recommended you install this update as soon as you can. A few of the security fixes are:
• (Admin Framework) A process may gain admin privileges without proper authentication.
• (Admin Framework) A non-admin user may obtain admin rights.
• (Admin Framework) An attacker may abuse Directory Utility to gain root privileges.
• (ATS) Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution.
• (Bluetooth) A malicious application may be able to execute arbitrary code with system privileges.
• (Certificate Trust Policy) An attacker with a privileged network position may be able to intercept network traffic.
• (EFI) A malicious application with root privileges may be able to modify EFI flash memory.
• (EFI) A malicious application may induce memory corruption to escalate privileges.
The list goes on and on. While I have not confirmed this yet, some or all of the included security fixes address the recently discussed XARA vulnerabilities which makes this (amongst many reasons) a great update. The included EFI fixes address a serious vulnerability that were recently found and could compromise a Mac. Another reason a lot of people are excited about the 10.10.4 update is the return of mDNSResponder. Starting with OS X 10.10 Apple replaced the process with Discoveryd, a move that was ill advised since the very beginning but Apple did it anyway. A host of network related issues, high CPU usage, battery life problems, wake from sleep issues and more were attributed to this new process. It’s finally gone making folks very excited to see all those issues (hopefully) disappear. If you experienced any of these issues, Wi-Fi issues and network issues in general, this update might solve your woes. I am hoping the removal of the dreaded Discoveryd process will return my OS X server to something worth having.
That brings us to the next update specifically for OS X 10.8 Mountain Lion and 10.9 Mavericks users. It’s called “Mac EFI Security Update 2015-001” and addresses the same EFI vulnerability mentioned above. While OS X 10.10 Yosemite users have this EFI fix included in the 10.10.4 update, users of older OS X versions must install this stand-alone update. Backing up your data before any update is a good idea but with EFI Firmware updates, make extra sure your backup is recent and in working order. A software update gone bad can be fixed with a reinstall. A firmware update gone bad can result in your Mac becoming a brick with no way to reinstall. I have updated over 65 machines this afternoon without a single issue but you never know. Better safe than sorry.
Update your backups and start installing updates!
I really wish Apple would provide some clarity for the machines affected. As far as I can tell the Mac EFI Security Update 2015-001 has patches for machines back to roughly 2011.
Does that mean that Apple arbitrarily decided to only fix machines going back to that year or does it mean that earlier machines are somehow not affected?
The update should apply to all machines that can run OS X 10.8.5 and up. The EFI firmware is much more flexible and can be managed on a broader range of machines than the SMC firmware from my understanding. As EFI handles traffic between the OS and the SMC firmware and Apple has dropped support for anything pre-10.8, it makes sense that older machines are gonna have to do without this EFI fix. I’d imaging if a Machine runs 10.6 or 10.7 and then updates to 10.8, the EFI update will become available. This would make the update technically available to machines dating back to 2007 (iMac & MacBook Pro), 2008 (Mac Pro, MacBook & MacBook Air), 2009 (Mac mini). Then again I might be completely wrong about all this 🙂
Take a look inside the package for the the Mac EFI Security Update 2015-001 installer. It has ‘payloads’ sorted by machine ID. There is no ‘payload’ for a machine ID earlier than 2011. There are obviously machines that were not patched that are able to run Mountain Lion-Yosemite.
The remaining question is did Apple just decide not to issue a fix for machines prior to 2011 (but otherwise still ‘supported’) or are they unaffected.
I am not optimistic at this point.
My opinion is that Apple picked 2011 (Sandy Bridge) as a stopping point for their own convenience.
I hope I am wrong. But I don’t have the technical means to determine it.
You’re right, it’s limited to just those boot ROM versions. Older Macs from what I see still have the same EFI fixes included in the “Security Update 2015-005”. Similar update just titled differently. This update was available for a 2010 Mac mini I ran software updates on.