This article originally appeared in TidBITS on 2015-08-14 at 8:56 a.m.
The permanent URL for this article is: http://tidbits.com/article/15859
Include images: Off

OS X 10.10.5 Yosemite and iOS 8.4.1 Address Numerous Security Holes

by Adam C. Engst

Apple has released minor updates to both OS X 10.10 Yosemite and iOS 8, calling out just a few general changes in the main release notes, but noting nearly 70 security fixes for OS X and over 40 for iOS. It seems likely that Apple’s release was timed to follow the Black Hat and DEF CON security conferences, where privately reported security vulnerabilities might be made public. Given the number of security fixes, I’d encourage you to install these updates soon, since they’re more important than the release notes might imply.

OS X -- For Mac users, OS X 10.10.5 [1], which is available via Software Update or standalone delta [2] (from 10.10.4, 1.02 GB) and combo [3] (from any version of 10.10, 2.12 GB) updaters, has only three items in its release notes:

On the security side, however, Apple lists 69 entries [4] that span the gamut from OS X’s Unix apps and utilities to the kernel itself. For the most part, the specifics aren’t interesting, but a few are worth calling out. The DYLD_PRINT_TO_FILE vulnerability [5] discovered by Stefan Esser [6] and the CEO of information security firm GrayHash, who goes by @beist [7] on Twitter, has been blocked. That’s important because it made it possible for apps to gain root permissions without requiring a password; even more concerning was that it had started to appear in the wild. In addition, previous versions of the Unix sudo utility included in OS X could allow an attacker access to arbitrary files — that’s a bad thing.

If you have trouble installing via the App Store app, try the combo updater — I’ve seen some reports of installations failing to complete and retrying repeatedly.

iOS 8.4.1 -- For those using an iPhone or iPad, iOS 8.4.1 [8] focuses its attention on six fixes related to Apple Music:

But don’t get the impression you can pass on installing iOS 8.4.1 if you don’t use Apple Music. As with OS X 10.10.5, there are oodles of security fixes [9] — 43 all told. None are particularly notable.

As always, you can install iOS 8.4.1 from Settings > General > Software Update on your device, or by connecting it to iTunes.

[1]: https://support.apple.com/en-us/HT205004
[2]: https://support.apple.com/kb/DL1833
[3]: https://support.apple.com/kb/DL1832
[4]: https://support.apple.com/en-us/HT205031
[5]: https://blog.malwarebytes.org/mac/2015/08/dyld_print_to_file-exploit-found-in-the-wild/
[6]: https://twitter.com/i0n1c
[7]: https://twitter.com/beist
[8]: https://support.apple.com/kb/DL1818
[9]: https://support.apple.com/en-us/HT205030