Apple kills the POODLE – also fixes Shellshock in case you forgot

Apple announced OS X Yosemite 10.10 yesterday, 16 October 2014.

Many early adopters will want it – indeed, some will already have it – for its new features, or its new look, or even just for its newness.

But some will want it simply as a security update, because it includes fixes for close to 50 CVEs, covering all sorts of vulnerabilities.

The fixes include patches against remote code execution, information disclosure, denial of service and more, in user applications, through web-facing servers such as Apache, to the kernel itself.

We were especially pleased to notice that the fixes even include a patch for CVE-2014-3566, better known as POODLE.

It’s a commendable result for Apple to have fixed such a recently-announced bug in the Yosemite release, considering that it’s a brand new operating system version that has been in the oven for months.

But what about those of us who can’t or won’t upgrade to 10.10 yet, or who are still waiting for the multigigabyte download to complete?

The equally good news is that Security Update 2014-005, published today and available for Mavericks (OS X 10.9) and Mountain Lion (OS X 10.8), kills off the POODLE vulnerability, too.

Interestingly, 2014-005 also fixes the recently-announced Bash bug Shellshock at the same time.


A Bash fix has been available for OS X since the end of September 2014, but clicking on Apple Menu | Software Update... wasn’t enough to fetch and apply the update automatically.

You needed to download and launch the update yourself.

Given that many users might not have bothered, or perhaps not known how (by the way, we published instructions here on Naked Security), Apple decided to push out the Shellshock update a second time.

So Security Update 2014-005 kills the POODLE and settles the Shellshock in one go.

The best-of-all news, at least for Mavericks users, is that the update is just 6.6MB.

Mountain Lion users have to fetch about 160MB, which sounds like a lot just for fixing POODLE and Shellshock, but that’s how it is.

From what we can see, Apple has fixed its underlying Secure Transport library, the core code that most Apple applications use when they want secure connections such as HTTPS.

(Yes, that’s the library that had the infamous goto fail bug than won Apple an Most Epic Fail antiaward.)

That’s pretty good news, too, because it means that the fix applies not only to the Safari browser, but also to other Apple software where secure connections are used, such as Apple Mail and the App Store.

Word of warning: there isn’t a fix for Lion (OX 10.7).

Remember how Snow Leopard (OS X 10.6) fell off the edge of the security planet when Mavericks came out, leaving just three versions getting security patches, namely 10.9, 10.8 and 10.7?

It looks as though the arrival of 10.10 has cut the supported-for-security list to 10.10, 10.9 and 10.8.

You can still upgrade for free from 10.6.8 and 10.7 all the way to Yosemite, but only if your hardware is up to it.

But don’t shoot us for saying that: we’re just the messengers.

To get Security Update 2014-005, simply click on Apple Menu | Software Update... and find the relevant item in the Updates Available section.
Note that a reboot is required.

Image of poodle silhouette courtesy of Shutterstock.