Apple Releases OS X Yosemite While Patching 144 Security Vulnerabilities
Apple has released their newest version of their OS X operating system, Yosemite v10.10, in addition, the company has patched over 144 security flaws found throughout a number of their products.
Apple released a number of security fixes on Thursday, fixing vulnerabilities throughout their operating system and products including: OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5; OS X Server versions 2.2.5, 3.3.2 and 4.0; and iTunes 12.0.1. Apple also released an additional 144 separate security patches throughout the updates.
Apple’s latest OS X Yosemite patches 45 vulnerabilities throughout many parts of the operating system. Included is a fix for the Bash Shell Vulnerability commonly known as Shellshock, which Apple released individual patches for at the end of September. Another serious vulnerability Apple fixed is POODLE, a vulnerability that lies within the SSL version 3 protocol. Apple addressed the issue by disabling CBC cipher suites when TLS connections fail.
Apple patched numerous severe vulnerabilities, including several arbitrary code execution with system privileges flaws, stealing WiFI credentials flaw, allowing a malicious Bluetooth device to establish a connection to the device without pairing, among hundreds of others.
As well, Apple released security update 2014-005 for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5 systems. The update includes only two patches against Shellshock and POODLE. The other 43 vulnerabilities fixed in Yosemite were also fixed in OS X Mavericks systems and later. Earlier versions of OS X have yet been patched for any of the following vulnerabilities.
Apple also patched iTunes releasing version 12.0.1 patching 83 vulnerabilities, all regarding memory corruption issues in the WebKit browser engine. Apple’s massive update is long overdue, some CVE tags date back from 2013.
Apple also released OS X Server 4.0 on Thursday as well, fixing 18 vulnerabilities.
OS X Server versions 3.3.2 and 2.2.5 were also released, only adding a TLS change to block POODLE attacks, no other bugs found in the OS X server.
In Apple’s massive update they included the identities of many third party researchers attached to their CVE vulnerability identifiers. In a large number of Apples security patches, Google Project Zero was accredited.
Google Project Zero is an initiative Google started to help secure the Internet. The Internet giant hired full-time security experts to test the security of widely used products across on the web.
The initiate started only three months ago in July and appears to be doing its job, even helping secure Apple products among many others.
It is highly recommended that if you use any of the listed Apple products you update them right away to get the added security benefits and not be left vulnerable.
