Fsck those new emojis! Install iOS 8.3, OS X 10.10.3 NOW to squash all these security bugs
Stop cooing over smiley faces – there are RCEs to fix
Apple has released software updates to add features to and fix many bugs in its OS X and iOS operating systems.
The iOS 8.3 overhaul will correct dozens of programming blunders, including glitches and dropouts with Wi-Fi and Bluetooth. Users reported problems with establishing and maintaining connections to wireless networks and Bluetooth keyboards.
iOS 8.3 also speeds up app launches and makes them more responsive. The update also fixes bugs in Messages, Calendar and CarPlay, and brings in sigh ... new emojis.
For OS X Yosemite Macs, the 10.10.3 update introduces an overhauled Photos app and bug fixes for Safari, Spotlight, Wi-Fi networking and Bluetooth connections.
While the stability tweaks will make Macs and iThings less prone to annoying crashes and connectivity dropouts, the security components of both updates close off a load of exploitable vulnerabilities.
For iOS, the update will address 58 CVE-listed security holes. Of those patched flaws, two dozen lie within Safari's WebKit engine: one flaw allows phishing attempts to go unnoticed, while two enable cross-site-scripting attacks. The remaining 21 bugs shut off remote code execution vulnerabilities.
Two bugs preventing Safari from fully deleting your browsing history when prompted have been squashed, and a Podcasts flaw that let external servers harvest user information has been addressed.
The iOS Kernel will receive patches for eight flaws that range from remote-code-execution and denial-of-service to elevation-of-privilege vulnerabilities.
OS X Yosemite 10.10.3's security patches address a total of 79 CVE-listed security issues. 21 of those flaws were found in the OS X PHP port. While Apple did not specify the security risk of each, at least one of the flaws would allow for remote code execution.
Six other flaws were plugged in OpenSSL, including one that could be exploited by an attacker to intercept and decode weak export-grade encrypted data between a vulnerable Mac and a server. Apache will receive updates for nine security flaws, including one for remote code execution.
Researcher Kenton Varda has shown how the OS X kernel flaw he discovered and reported (and now patched) could be used to send Chrome, Node.js and other software into infinite loops.
And Yahoo!'s security team has revealed more information on a privilege escalation bug it found and reported in an Nvidia OS X kernel driver. That hole has also been patched.
For Mac users who haven't upgraded to OS X 10.10, there is a Security Update 2015-004 available that will fix most of the aforementioned bugs – however, one glaring local root escalation bug in OS X 10.8.5 and 10.9.5 remains un-patched. Users are urged to switch to 10.10.3 as soon as possible to kill the vulnerability.
While Apple credited dozens of security researchers for pointing out the various flaws, Ian Beer of Google Project Zero was a particularly big winner. He was credited with reporting seven different CVE-classified flaws, including five in the OS X ATS component. ®