While you’re reading this, have your Time Machine or other backup running.
Today Apple released software updates for OS X and iOS. The update for iOS is 8.4 and it’s main purpose is the introduction of iTunes Music but as always some security related issues were addressed as well. A total of 35 security issues were fixed making this more than just a music service update. Back up your iOS devices to iCloud or iTunes and install the update when you can. Read the installer for all the details on what the update has to offer.
For OS X users we got a new version of Safari. Available for users of OS X 10.8.5, 10.9.5 and 10.10.3. While only 4 WebKit issues were addressed, they are not insignificant:
• A maliciously crafted website can access the WebSQL databases of other websites.
• Visiting a maliciously crafted website may lead to account account takeover.
• Clicking a maliciously crafted link in a PDF embedded in a webpage may lead to cookie theft or user information leakage.
• Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution.
By installing this update, Mountain Lion users will get Safari 6.2.7, Mavericks users will get Safari 7.1.7 and Yosemite users will get Safari 8.0.7. It is recommended to install this update soon, specially if Safari is your primary browser.
Also released today was OS X Yosemite 10.10.4. Fixing a whopping 79 security issues it is recommended you install this update as soon as you can. A few of the security fixes are:
• (Admin Framework) A process may gain admin privileges without proper authentication.
• (Admin Framework) A non-admin user may obtain admin rights.
• (Admin Framework) An attacker may abuse Directory Utility to gain root privileges.
• (ATS) Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution.
• (Bluetooth) A malicious application may be able to execute arbitrary code with system privileges.
• (Certificate Trust Policy) An attacker with a privileged network position may be able to intercept network traffic.
• (EFI) A malicious application with root privileges may be able to modify EFI flash memory.
• (EFI) A malicious application may induce memory corruption to escalate privileges.
The list goes on and on. While I have not confirmed this yet, some or all of the included security fixes address the recently discussed XARA vulnerabilities which makes this (amongst many reasons) a great update. The included EFI fixes address a serious vulnerability that were recently found and could compromise a Mac. Another reason a lot of people are excited about the 10.10.4 update is the return of mDNSResponder. Starting with OS X 10.10 Apple replaced the process with Discoveryd, a move that was ill advised since the very beginning but Apple did it anyway. A host of network related issues, high CPU usage, battery life problems, wake from sleep issues and more were attributed to this new process. It’s finally gone making folks very excited to see all those issues (hopefully) disappear. If you experienced any of these issues, Wi-Fi issues and network issues in general, this update might solve your woes. I am hoping the removal of the dreaded Discoveryd process will return my OS X server to something worth having.
That brings us to the next update specifically for OS X 10.8 Mountain Lion and 10.9 Mavericks users. It’s called “Mac EFI Security Update 2015-001” and addresses the same EFI vulnerability mentioned above. While OS X 10.10 Yosemite users have this EFI fix included in the 10.10.4 update, users of older OS X versions must install this stand-alone update. Backing up your data before any update is a good idea but with EFI Firmware updates, make extra sure your backup is recent and in working order. A software update gone bad can be fixed with a reinstall. A firmware update gone bad can result in your Mac becoming a brick with no way to reinstall. I have updated over 65 machines this afternoon without a single issue but you never know. Better safe than sorry.
Update your backups and start installing updates!