Security updates were released by Apple on Tuesday for OS X, iOS, Safari and Apple TV. The updates address a large number of vulnerabilities identified by the company’s internal security team and external researchers.
Apple has updated OS X Yosemite to version 10.10.2. The latest release of the Mac operating system fixes a total of 54 security issues affecting components such as AFP Server, bash, Bluetooth, CoreGraphics, the CommerceKit framework, FontParser, the Intel graphics driver, IOHIDFamily, IOUSBFamily, the kernel. libnetcore, LoginWindow, OpenSSL, the sandbox, SceneKit, Spotlight, sysmond, and UserAccountUpdater.
OS X 10.10.2 also addresses the vulnerabilities disclosed recently by Ian Beer of the Google Zero Project, the Thunderstrike flaw reported by Trammell Hudson, and a Gatekeeper bypass bug identified by Hernan Ochoa of Amplia Security.
Following recent reports about a couple of Adobe Flash Player zero-days that have been exploited in the wild, Apple has decided to disable all Flash Player plugins prior to versions 188.8.131.526 and 184.108.40.2064.
These and several other WebKit flaws have also been fixed by Apple in iOS 8.1.3. Other vulnerabilities patched in the mobile operating systems affect components such as AppleFileConduit, CoreGraphics, dyld, FontParser, Foundation, IOHIDFamily, iTunes, the kernel, libnetcore, MobileInstallation, and Springboard.
As far as Safari is concerned, the Web browser has been updated to versions 8.0.3, 7.1.3 and 6.2.3. The updates address a total of four memory corruption vulnerabilities affecting the WebKit.
Some of the fixed security issues have been used by the PanguTeam and the TaiGJailbreak Team in their iPhone/iPad jailbreaks.
In Apple TV 7.0.3, the company has addressed a total of 29 vulnerabilities, but none of them are specific to this particular product; they are the same flaws that have been fixed in iOS and, in some cases, OS X.
The list of external researchers credited by the company for discovering the flaws includes Felipe Andres Manzano of the Binamuse VRT, Gaurav Baruah, Stefan Esser, Rennie deGraaf of iSEC Partners, cloudfuzzer, FireEye’s Hui Xue, Song Jin and Tao Wei, Jordan Milne, lokihardt@ASRT, Roberto Paleari and Aristide Fattori of Emaze Networks, Craig Young of Tripwire VERT, Sten Petersen, Steven Michaud of Mozilla, Mike Myers of Digital Operatives, Vitaliy Toropov, Google’s Fermin J. Serna and Jose Duart, David J Peacock, and Alex Radocea of CrowdStrike.
Friday, January 30, 2015