(LiveHacking.Com) – Apple has released a massive set of security fixes to address vulnerabilities in OS X, iOS, Safari, and Apple TV. The update for OS X is largest of all the patches and addresses 80 unique vulnerabilities. The OS X Yosemite v10.10.3 update is available for OS X Yosemite v10.10 to v10.10.2, while Security Update 2015-004 is available for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5.
Of particular interest is a fix to several CVEs raised by Ian Beer of Google Project Zero. Multiple input validation issues existed in fontd, and as a result a local user may be able to execute arbitrary code with system privileges.
Apple also fixed a use-after-free issue that existed in CoreAnimation, an input validation issue that existed within OS X’s URL processing, and a memory corruption issue that existed in WebKit. Because of these, visiting a maliciously crafted website could have led to arbitrary code execution.
Other “arbitrary code execution” vulnerabilities fixed by Apple include:
- Multiple memory corruption issues that existed in the processing of font files (CVE-2015-1093 : Marc Schoenefeld).
- A memory corruption issue that existed in the handling of .sgi files.
- A memory corruption issue that existed in an IOHIDFamily API (CVE-2015-1095 : Andrew Church).
- A memory corruption issue that existed in the handling of iWork files (CVE-2015-1098 : Christopher Hickstein).
- A heap buffer overflow existed in SceneKit’s handling of Collada files (CVE-2014-8830 : Jose Duart of Google Security Team).
Apple also update the bundled version of Apache in OS X. Multiple vulnerabilities existed in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. These issues were addressed by updating Apache to versions 2.4.10 and 2.2.29.
Likewise it also updated the bundled version of PHP. Multiple vulnerabilities existed in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may have led to arbitrary code execution. This update addresses the issues by updating PHP to versions 5.3.29, 5.4.38, and 5.5.20.
The update for iOS addresses 58 separate CVE entries, while Apple TV 7.2 fixes 38 unique CVEs. The fixes for Safari updates the browser to Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 respectively. In total the Safari update addresses 10 different CVEs.
You can get more information on these updates on Apple’s Security Updates web site: https://support.apple.com/kb/