If you’re one of those people who waits for the first update to an update before you install it…
…and you’re also an OS X or an iOS user, then your number’s just been called.
In a flurry of Security Advisories published this week [2015-10-21] by Apple, the following security-oriented updates were announced:
- OS X El Capitan 10.11.1
- iOS 9.1
- watchOS 2.0.1
- OS X Server 5.0.15
Additionally, iTunes goes to 12.3.1; Safari goes to 9.0.1; and, for programmers, Xcode goes to 7.1.
Interestingly, the iTunes security advisory applies only to Windows – on the Mac, it seems, it’s funky new features only.
Pre-Capitan versions of OS X get their own security fixes in Update 2015-007 and Mac EFI Security Update 2015-002.
As usual, head over to the App Store for the fixes: Apple Menu | App Store... | Updates.
Or, if you’re like me, you may want to get the OS X El Capitan point release as a disk image, just in case you need to reinstall the base operating system, or if, unlike me, you have a whole stash of Macs and don’t want each one of them to have to fetch the update from the App Store.
→ Bandwith planner: iOS 9.1 will cost you about 0.3GB and OS X 10.11.1 about 1.1GB. Xcode 7.1, despite being a point release, is an “all-over-again” download, at just a shade over 2GB.
The security patches include a large number of remote code execution (RCE) holes that could, in theory, be triggered by booby-trapped objects of numerous sorts, including:
- Web pages
- Audio files
- Fonts
- Disk images
- Packages (.pkg) files
- Images
- AppleScripts
Once again, well done to Apple for pushing out fixes quickly, given that it’s less than a month since El Capitan came out, and just over a month since iOS 9 hit the airwaves.
And to all those Apple fans who live by the rule, “If malware hits your Mac, you’ll always see a prompt or some kind of warning first…”
…the whole problem with an RCE attack caused by booby-trapped content is that just looking at a file, or opening a file that contains embedded data such as a font or an image, is usually enough to give control to the crooks.
It’s called a drive-by install or a drive-by download for obvious reasons: you think you are safely “Just Visiting,” as the Monopoly board puts it, but the crooks end up owning you!
Monopoly board JUST VISITING image by txking, courtesy of Shutterstock.