Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

OS X 10.10.5 Yosemite and iOS 8.4.1 Address Numerous Security Holes

Apple has released minor updates to both OS X 10.10 Yosemite and iOS 8, calling out just a few general changes in the main release notes, but noting nearly 70 security fixes for OS X and over 40 for iOS. It seems likely that Apple’s release was timed to follow the Black Hat and DEF CON security conferences, where privately reported security vulnerabilities might be made public. Given the number of security fixes, I’d encourage you to install these updates soon, since they’re more important than the release notes might imply.

OS X -- For Mac users, OS X 10.10.5, which is available via Software Update or standalone delta (from 10.10.4, 1.02 GB) and combo (from any version of 10.10, 2.12 GB) updaters, has only three items in its release notes:

  • Improves compatibility with certain email servers when using Mail

  • Fixes an issue in Photos that prevented importing videos from GoPro cameras

  • Fixes an issue in QuickTime Player that prevented playback of Windows Media files

On the security side, however, Apple lists 69 entries that span the gamut from OS X’s Unix apps and utilities to the kernel itself. For the most part, the specifics aren’t interesting, but a few are worth calling out. The DYLD_PRINT_TO_FILE vulnerability discovered by Stefan Esser and the CEO of information security firm GrayHash, who goes by @beist on Twitter, has been blocked. That’s important because it made it possible for apps to gain root permissions without requiring a password; even more concerning was that it had started to appear in the wild. In addition, previous versions of the Unix sudo utility included in OS X could allow an attacker access to arbitrary files — that’s a bad thing.

If you have trouble installing via the App Store app, try the combo updater — I’ve seen some reports of installations failing to complete and retrying repeatedly.

iOS 8.4.1 -- For those using an iPhone or iPad, iOS 8.4.1 focuses its attention on six fixes related to Apple Music:

  • Resolves issues that could prevent turning on iCloud Music Library

  • Resolves an issue that hides added music because Apple Music was set to show offline music only

  • Provides a way to add songs to a new playlist if there aren’t any playlists to choose from

  • Resolves an issue that may show different artwork for an album on other devices

  • Resolves several issues for artists while posting to Connect

  • Fixes an issue where tapping Love doesn’t work as expected while listening to Beats 1

But don’t get the impression you can pass on installing iOS 8.4.1 if you don’t use Apple Music. As with OS X 10.10.5, there are oodles of security fixes — 43 all told. None are particularly notable.

As always, you can install iOS 8.4.1 from Settings > General > Software Update on your device, or by connecting it to iTunes.

 

Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <http://smle.us/smile-tb>
 

Comments about OS X 10.10.5 Yosemite and iOS 8.4.1 Address Numerous Security Holes
(Comments are closed.)

Hi Adam, thanks for your article.

Question: Are any of the security fixes implemented for Mavericks users? If so, which fixes? Thanks.
B. Jefferson Le Blanc  2015-08-19 20:34
Apple released security update 2015-006 for OS X 9.5 Mavericks at the same time as the OS 10.10.5 update for Yosemite. They include the same security fixes. You can find it on MacUpdate, at http://www.macupdate.com/app/mac/48561/apple-security-update. There is also a link to the 2015-006 update for OS X 10.8.5 Mountain Lion. Alternatively, if you are using either of these versions of OS X, the security update should show up in Software Update.
The real reason for 8.4.1 is to break the Taig jailbreak for 8.x
B. Jefferson Le Blanc  2015-08-19 20:45
Adam, I'd be interested to know what you've heard about or experienced on how well the last two Yosemite updates have done patching the numerous flaws in the system. Absent any reliable information on the current state of Yosemite, I'm still reluctant to upgrade my Mavericks system. Fortunately, for me anyway, there's nothing in Yosemite that I actually want or need. So, given that Apple is still supporting OS X 10.9.5, staying with Mavericks does not yet present any problems. Indeed, I may skip Yosemite altogether. This is the first time I've ever passed over an OS X upgrade since I began using Mac OS 7.2 twenty years ago.
Adam Engst  An apple icon for a TidBITS Staffer 2015-08-20 08:52
I haven't experienced any real problems with Yosemite, so I can't say that the updates have fixed things, personally. This last one is aimed at security problems, though, and I think that's more serious, especially given the one that was in the wild already.

All that said, I also don't really see Yosemite as an improvement on Mavericks, or Mountain Lion. I skipped Lion on my main Mac (I install everything on my laptop) because, well, Snow Leopard worked and Lion just broke things.

There's no harm in not upgrading until it prevents you from doing something you want - some software is 10.10+ only and if you want to run such an app, then you have to upgrade.