Apple: Those security holes we fixed last week? You're going to need to repatch
Turns out those bugs weren't quite squished
Apple has released a follow-up to last week's security update after finding a pair of flaws that are still vulnerable on patched systems.
The Cupertino giant said that the 2015-003 update would address two flaws; a man-in-the-middle vulnerability and type confusion error in OS X Yosemite (10.10.2).
Both of the flaws, CVE-2015-1065 and CVE-2015-1061, were listed in last week's security update, but were not effectively patched, forcing Apple to put out another fix.
The CVE-2015-1065 issue was discovered by Andrey Belenko of NowSecure and concerns the handling of iCloud Keychain data during recovery. An attacker who is able to get between a vulnerable Mac and its network connection could cause buffer overflow errors allowing for arbitrary code execution.
The second flaw, CVE-2015-1061, is due to a type confusion error with Yosemite's IOSurface developer tool preventing proper handling of serialized objects. A malicious application could exploit the vulnerability to force the target Mac to execute code with system privileges. Ian Beer of Google Project Zero was credited with reporting the flaw to Apple.
Along with the new patches, the 2015-003 updates contains all of the fixes from last week's 2015-002 security update. Apple did not say whether iOS 8.2, which also included fixes for CVE-2015-1061 and CVE-2015-1065, would need another update.
Users can obtain the fix through the OS X App Store or by enabling the 'automatic updates' system option. ®