Apple yesterday released the latest version of its operating system, OS X 10.10 Yosemite. As usual, the new version of the operating system does include a number of security related bug fixes, and Apple released these fixes for older versions of OS X today.
This update, Security Update 2014-005 is available for versions of OS X back to 10.8.5 (Mountain Lion).
Among the long list of fixes, here a couple of highlights:
Apple doesn't turn off SSLv3 in this release, but restricts it to non-CBC ciphers, limiting its exposure to attacks like POODLE and BEAST. The list of trusted certificate authorities has also been updates [2]
802.1x no longer supports LEAP by default due to weaknesses in this authentication method.
The bash fix, that was released as a standalone fix earlier to counter "Shellshock", is included in this update.
An arbitrary code execution vulnerability in CUPS was fixed. (CVE-2014-3537)
And a quick note about OS 10.10 Yosemite:
After installing it, all security relevant settings I checked where untouched (good!). Among security relevant software, GPGMail will not work with Yosemite yet, but according to the developers, a fix is in the work and may be release in a few weeks, but GPGMail may no longer be free. If you rely on software that you compiled with MacPorts: Wait for the release of XCode 6.1, as it is required to recompile the software for OS X 10.10. In general, it is adviced that you FIRST update all your software and then upgrade to Yosemite. Little Snitch, another popular piece of security software for OS X, works well with Yosemite, but I recommend you turn off the network filter during the upgrade (it works with it enabled, but you need to approve a lot of new connections from new software).
[1] http://support.apple.com/kb/HT1222
[2] http://support.apple.com/kb/HT6005
'취약점 정보1' 카테고리의 다른 글
ELF Parser 1.1.0 now with shell command extraction (0) | 2014.10.21 |
---|---|
Logging SSL (0) | 2014.10.20 |
Microsoft MSRT October Update (0) | 2014.10.20 |
OpenSSL 다중 취약점 보안업데이트 권고 (0) | 2014.10.20 |
사이버 공격 "Sandworm"가 "Blacken"에 유도. 산업 제어 시스템이 표적? (0) | 2014.10.18 |