This article originally appeared in TidBITS on 2015-03-10 at 5:49 p.m.
The permanent URL for this article is:
Include images: Off

Security Update 2015-002 (Mountain Lion, Mavericks, and Yosemite)

by Agen G. N. Schmitz

Apple has released Security Update 2015-002 [1] for OS X 10.8 Mountain Lion, 10.9 Mavericks, and 10.10 Yosemite. Most noteworthy is the fix for the FREAK vulnerability (short for Factoring RSA Export Keys), which could enable an attacker to intercept SSL/TLS-encrypted traffic and then access or alter communications between the client and server. Security Update 2015-002 also addresses a vulnerability in IOAcceleratorFamily and IOSurface’s handling of serialized objects for all three operating systems. For Yosemite, the Security Update patches leaking kernel addresses and heap permutation values from the mach_port_kobject kernel interface and improves bounds checking for iCloud Keychain to contain multiple buffer overflows. Security Update 2015-002 is available via Software Update or via direct download from Apple’s Support Downloads Web site. Note that there are two updates available for 10.10 Yosemite — one for Early 2015 Macs (i.e., those announced last week; see “New 12-inch MacBook Joins Updated MacBook Air and MacBook Pro [2],” 9 March 2015) and one for older Macs. (Free. For 10.8 Mountain Lion [3], 177.3 MB; for 10.9 Mavericks [4], 62.3 MB; for 10.10.2 Yosemite [5], 5.4 MB; and for Yosemite on Early 2015 Macs, 5 MB)