The Mac Security Blog

Security & Privacy + Security News

OS X Yosemite 10.10.5 Released — Fixing Numerous Security Holes

Posted on by

OS X Yosemite 10.10.5

Apple has issued an update to the OS X Yosemite operating system, bringing it up to version 10.10.5.

Although many users will appreciate bug fixes that the company has incorporated into new versions of its Mail, Photos, and QuickTime Player apps, what will interest readers of this blog the most will be the security patches that Apple has rolled out.

Amongst the numerous security fixes incorporated into this update are fixes for issues with WebKit, Safari, Apache, BlueTooth, Kernel, and QuickTime 7.

One of the highest profile security holes patched in the OS X 10.10.5 update is the DYLD_PRINT_TO_FILE privilege escalation exploit, through which a malicious hacker who has already broken into your computer could give themselves system-level powers to cause further harm.

Security researcher, Stefan Esser, published details of the vulnerability alongside proof-of-concept code before telling Apple about the flaw, and in the days that followed we began to see in-the-wild attacks exploiting the security hole.

Proof of concept code

It’s good to see that Apple has now managed to fix this issue, before more harm is done, rather than waiting until the public release of OS X 10.11 El Capitan.

Sadly, there is no sign in this update of a fix to the so-called Thunderstrike 2 vulnerability, for which security researchers created a proof-of-concept worm to demonstrate how it could spread between MacBooks, infecting firmware.

Thunderstrike 2

The typical user might not need to lose much sleep over Thunderstrike 2 just yet, as the research has all been done by members of the security community rather than criminal hackers, and there is no evidence that the vulnerability is being maliciously exploited.

All the same the hysteria over hard-to-detect UEFI chip-infecting malware has hopefully reminded Mac users that they are not magically immune from malware threats, and that it makes sense for them to run an anti-virus program.

Fingers crossed, Apple will release a proper fix for Thunderstrike 2 sooner rather than later.

And, by the way, if you’re not running OS X Yosemite on your Mac don’t think that you don’t have any updating to do.

OS X Mavericks and Mountain Lion users should ensure that they update Safari against a host of security vulnerabilities, even if they aren’t ready or aren’t able to make the jump to OS X 10.10.5. These flaws include remote code execution exploits and a security hole that could assist online criminals in phishing information from unsuspecting users.

App StoreIf you’re ready to install OS X Yosemite 10.10.5, enter the App Store app and click on the Updates tab.

Once there, you should see the update if it is available to you, and all you should need to do is click the “Update” button to begin the installation.

To complete the installation, you will have to restart your Mac, so I would recommend choosing a convenient time of day so your work isn’t disrupted too much.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →