Security Market Segment LS
Wednesday, 01 July 2015 09:41

Bumper bundle of security updates for OS X


Apple has release multiple security updates for its Mac system software, along with a new version of iTunes.

Alongside iOS 8.4, Apple has released security updates for OS X, the Safari web browser, and the QuickTime multimedia software.

OS X Yosemite v10.10.4 and Security Update 2015-005 (for OS X 10.8 Mountain Lion and OS X 10.9 Mavericks), both available from the Mac App Store, address a wide range of security issues.

They include multiple privilege escalation issues, remote attack via AFP, an Apache misconfiguration, multiple PHP issues, multiple examples of kernel memory layout disclosure, multiple memory corruption issues that could be used to execute arbitrary code (including some variously related to fonts, Bluetooth, URL handling, text files, QuickTime, and certain types of signed or encrypted objects), sometimes with system privileges.

QuickTime 7.7.7 for Windows 7 and Vista has also been released to provide the relevant patches.

Back to OS X, changes to the graphics drivers for Nvidia and Intel perform improved bounds checks to address buffer overflow issues that could allow arbitrary code execution with system privileges.

The certificate trust policy has also been updated, the 'Logjam' SSL/TLS issue has been addressed, the locking of EFI flash memory when waking from sleep has been improved (the EFI patches are available separately as Mac EFI Security Update 2015-001 for Mountain Lion and Mavericks), and certain issues around code signing have been rectified.

A Yosemite-specific change addresses a flaw that allowed unsigned kernel extensions to be loaded under certain conditions.

One of the more curious issues concerns Mail. The version included in Yosemite 10.10.0 to 10.10.3 allowed the content of an HTML message to be replaced with an arbitrary web page.

Another concerns Spotlight, where "A command injection vulnerability existed in the handling of filenames of photos added to the local photo library."

Open source components that have been updated but not already mentioned include libtiff, OpenSSL, SQLite and unzip.

All told, more that 75 distinct vulnerabilities are addressed by OS X Yosemite v10.10.4 and Security Update 2015-005.

The latest version of Safari - 8.0.7 - is included in the OS X Yosemite 10.10.4 update. It is also available separately from the Mac App Store, along with Safari 7.1.7 and 6.2.7 for Mavericks and Mountain Lion respectively.

Changes include improved checking to prevent one site accessing another's WebSQL databases, and better protection against cross-site request forgeries and malicious links in embedded PDFs.

This latest set of updates is consistent with Apple's unstated but apparent policy of only releasing security updates for the current version of OS X and its two most recent predecessors.

In related news, Apple has also released iTunes 12.2 with support for the new Apple Music service. It is available from the Mac App Store.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News