Apple fixes a bucketload of vulnerabilities in everything
Apple has pushed out updates for OS X Yosemite, OS X Server, iOS and Safari, fixing a bucketload of critical and less critical vulnerabilities.
While the OS X Server update contains only a patch for the BIND flaw (CVE-2015-5477) that is currently being exploited in the wild, the OS X Yosemite update contains a considerable number of fixes.
These include those for a bug that could be exploited by a malicious application to access the iCloud user record of a previously signed in user; a number of bugs that can be triggered by maliciously crafted DMG files, font files, image and movie files and can lead to unexpected application termination or arbitrary code execution; a kernel bug that could allow a malicious app to execute unsigned code; a DYLD_PRINT_TO_FILE vulnerability that is being used by malicious software in the wild, and more.
According to Sophos‘ Paul Ducklin, the update doesn’t close the hole that allows Thunderstrike 2-type attacks.
The new iOS update is also hefty, with many fixes for code execution flaws. The Safari patch is intended for OS X Mavericks and Mountain Lion users (it is included in the Yosemite update).
Users are advised to implement the patches as soon as possible.