Skip to content
Naked Security Naked Security

Apple fixes loads of security holes in OS X, iOS, Apple TV, Safari

OS X gets a brand new photo application called, er, Photos, but the security fixes are the real reason you want these updates.
Written by
April 09, 2015
Naked Security Apple Apple TV Exploit iOS OS X Safari Update vulnerability

Apple’s latest tranche of updates has shipped.

The OS X update for Yosemite (10.10.3) excitedly announces the arrival of a brand new photo application.

It’s a successor to the venerable iPhoto software, sporting the imaginative name, wait for it, of…

Photos.

The biggest drawcard of Photos seems to be a feature that could be both a security blessing and a curse, namely 5GB of free photo storage on Apple’s iCloud servers.

(Paid photo storage plans, apparently, go up to a mammoth 1TB, but your first 5GB is free.)

You’ll have free off-site backup, but there’s the concomitant extra risk of other people getting access to your private images as well.

The security fixes

As usual, however, it is the security fixes that are the compelling reason to grab these updates sooner rather than later, whether you are ready to leave iPhoto behind for Photos or not.

You can find all the gory details here:

• OS X 10.10.3 (10.10 Yosemite): HT204659

(Get a standalone installer at DL1805. Size: 1.4GB.)

• Security Update 2015-004 (10.9 Mavericks): HT204659

(Get a standalone installer at DL1803. Size: 112MB.)

• Security Update 2015-004 (10.8 Mountain Lion): HT204659

(Get a standalone installer at DL1802. Size: 176MB.)

• iOS 8.3: HT204661

(Get it from your device using Settings | General | Software Update. Size: 291MB.)

• Apple TV 7.2: HT204662

(Get it via Apple TV.)

• Safari 6.2.5, 7.1.5, 8.0.5: HT204658

(Get it via Apple Menu | App Store.)

Note that the Yosemite update, being a point release, includes Safari 8.0.5.

Also, if you like to fetch Apple’s Combo Updates whenever a point release comes out, you will find the relevant download for OS X 10.10.3 at DL1804. (Size: 1.9MB.)

Combo Updates bundle in all previous point releases, so that you can use the 10.10.3 Combo to jump straight from the original OS X Yosemite 10.10 to the most recent version.

You don’t first have to install 10.10.1, reboot, and then install 10.10.2 and reboot again before applying 10.10.3.

That’s very handy if ever you need or want to do a fresh OS X install.

It means you can more easily bring yourself right up to date with security fixes, including fixes for Safari, before you go online for the first time.

What was fixed?

The list of software components fixed in the various updates is extensive.

Rather than go into all the details, we’ll just encourage you towards grabbing the updates by pointing out that the holes fixed include:

  • Remote code execution (RCE). Opening a booby-trapped file or browsing to a malicious web page could lead to implanted malware, stolen data and a hijacked computer.
  • Security bypasses. Files you might expect to be kept away from prying eyes might be visible; secrets useful for further attacks (such as memory addresses used by the operating system) might be revealed.
  • Denial of service. A crook could force your computer to shut down without warning.
  • Data leakage. Passwords, private browsing data and application screenshots could be revealed.

More Lock Screen bugs

The most intriguing bugs, if we’re allowed to pick “favourites,” are probably two Lock Screen holes in iOS.

Your phone’s Lock Screen is very important, because it’s your main and immediate defence if your phone is lost, stolen, or even just picked up at the pub by an inquisitive (and improperly-behaved) friend or colleague.

The idea is that your Lock Screen can be configured to:

  • Kick in automatically when you aren’t using your phone. (Make the timeout as short as you can tolerate, e.g. 2 minutes.)
  • Require an unlock PIN or password. (Go as far beyond the minimum complexity of 4 digits as you can tolerate, e.g. 8 digits or a phrase.)
  • Automatically zap the data on your phone after 10 wrong passwords. (Don’t let young kids play with your work phone. It’s not a toy.)

Phones from Apple and other vendors have had a disappointing array of Lock Screen bugs in recent times, and the iOS 8.3 update fixes two more.

Uncovered by researchers at the University of Technology, Sydney, vulnerability CVE-2015-1107 means that the last-mentioned Lock Screen defence above might fail to trigger.

That could leave your phone unwiped even after a crook has exhausted his guesses.

And Lock Screen vulnerability CVE-2015-1108 means that the crook might be able to keep on guessing anyway, even after he’s supposed to have been shut out.

Convinced about updating yet?

We are: our updates are downloading as we speak!

About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

0 Comments

Dear Paul,

Once again the one person in the world I go to who’s going to fully explain an update to all…….including we senior citizens is you.

This morning reading my email from Naked Security I was immediately aware of the need to update…….was away from home…..so now straight back home and have completed the up-date.

It feels good to have completed this.

Sometimes I think I just take and absorb all this wonderful information that all of you provide…,.I always listen to Chet Chat, but only once commented….on the recent anniversary.

Anyway please accept my gratitude for all your ongoing work,

Rosie

Reply

At the official Apple forum yesterday there were several people complaining about 10.10.3. Has anyone here had any issues?

Reply

I have been trickling down my 1.9GB Combo Update over 3G, so I still have a few hundred MB to go and therefore haven’t actually applied the update yet.

I notice that Apple makes the very hand-waving remark that 10.10.3 “improves Wi-Fi performance and connectivity in various usage scenarios.” (What is it with techies and the English language? The words “in various usage scenarios” are just high-falutin disguises for “maybe” or “sometimes”.)

Anyway I am hoping for the opposite of issues…I have regular Wi-Fi dropouts, and they seem to have started immediately after I updated to 10.10. Not saying 10.10 was the cause…just hoping the effect will now vanish :-)

Reply

Re. the 10.10 patch for flaw CVE-2015-1130. Is this flaw also on OS 10.9.5? Assuming yes, does security update 2015-004 patch the flaw? Or do 10.9.5 users really have to upgrade to 10.10 Yosemite to be secure from the flaw? I ask because I am far from convinced Yosemite solves various WiFi problems. I hope to remain on Mavericks until the problems are solved…

Reply

Interesting question. Apple’s release notes say the CVE-2015-1130 bugfix is available for 10.10. That means there is no fix for 10.9.

What the release notes don’t say is whether the fix is missing from 10.9 because it is not relevant, or because the bug exists and remains unmatched.

The reporter of CVE-2015-1130 suggests that 10.9 *is* vulnerable and recommends moving up to 10.10.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!