Apple announced OS X Yosemite 10.10 yesterday, 16 October 2014.
Many early adopters will want it – indeed, some will already have it – for its new features, or its new look, or even just for its newness.
But some will want it simply as a security update, because it includes fixes for close to 50 CVEs, covering all sorts of vulnerabilities.
The fixes include patches against remote code execution, information disclosure, denial of service and more, in user applications, through web-facing servers such as Apache, to the kernel itself.
We were especially pleased to notice that the fixes even include a patch for CVE-2014-3566, better known as POODLE.
It’s a commendable result for Apple to have fixed such a recently-announced bug in the Yosemite release, considering that it’s a brand new operating system version that has been in the oven for months.
But what about those of us who can’t or won’t upgrade to 10.10 yet, or who are still waiting for the multigigabyte download to complete?
The equally good news is that Security Update 2014-005, published today and available for Mavericks (OS X 10.9) and Mountain Lion (OS X 10.8), kills off the POODLE vulnerability, too.
Interestingly, 2014-005 also fixes the recently-announced Bash bug Shellshock at the same time.
A Bash fix has been available for OS X since the end of September 2014, but clicking on Apple Menu | Software Update... wasn’t enough to fetch and apply the update automatically.
You needed to download and launch the update yourself.
Given that many users might not have bothered, or perhaps not known how (by the way, we published instructions here on Naked Security), Apple decided to push out the Shellshock update a second time.
So Security Update 2014-005 kills the POODLE and settles the Shellshock in one go.
The best-of-all news, at least for Mavericks users, is that the update is just 6.6MB.
Mountain Lion users have to fetch about 160MB, which sounds like a lot just for fixing POODLE and Shellshock, but that’s how it is.
From what we can see, Apple has fixed its underlying Secure Transport library, the core code that most Apple applications use when they want secure connections such as HTTPS.
(Yes, that’s the library that had the infamous goto fail bug than won Apple an Most Epic Fail antiaward.)
That’s pretty good news, too, because it means that the fix applies not only to the Safari browser, but also to other Apple software where secure connections are used, such as Apple Mail and the App Store.
Word of warning: there isn’t a fix for Lion (OX 10.7).
Remember how Snow Leopard (OS X 10.6) fell off the edge of the security planet when Mavericks came out, leaving just three versions getting security patches, namely 10.9, 10.8 and 10.7?
It looks as though the arrival of 10.10 has cut the supported-for-security list to 10.10, 10.9 and 10.8.
You can still upgrade for free from 10.6.8 and 10.7 all the way to Yosemite, but only if your hardware is up to it.
But don’t shoot us for saying that: we’re just the messengers.
To get Security Update 2014-005, simply click on Apple Menu | Software Update... and find the relevant item in the Updates Available section.
Note that a reboot is required.
Image of poodle silhouette courtesy of Shutterstock.
13 comments on “Apple kills the POODLE – also fixes Shellshock in case you forgot”
I’m stuck running 10.6.8 on a MacBook. Even though the system could be updated to 10.7 or 10.8, my local Apple store (Charlestown Square, Australia) have no idea how I can download and install a version older than 10.9, and basically refused point blank to help. I can’t find any current information online, either.
Hence, that was my first and last Mac. Having abandoned Microsoft after Windows 98, I now have one virtually useless MacBook that I now only use for doing annual tax returns, and everything else is Linux or Android.
Apple unambiguously states that you can do it straight from the App Store (the application for which is available on 10.6.8), that 10.6.8 is supported for upgrading, and that it is free.
So it sounds as though you have pre-2008 MacBook, if the hardware can’t support Yosemite. Why not just put Linux on it?
Paul wrote “Why not just put Linux on it?”
Well, the OP did say that he needs to run the Australian tax program. Apparently that doesn’t run on Linux, so he is maintaining this one non-Linux computer solely for that purpose.
Ironically, when 10.6 came out, the Australian Tax Office didn’t support Mac at all. You had to use a Windows VM. Only very recently did they support OS X at all 🙂
My friends have all updated from 10.6.8 just by clicking on the installer in the App Store, it was free and no hassle. You can just keep clicking until you get to the version you want. Your MacBook is just fine.
I tire of this. We have several 10.6 systems due to legacy software that we use to run our business. Companies have NO DESIRE to subscribe to the endless hardware and software upgrade schemes… it costs an enormous amount of time and money to test every aspect. It might be fun to every four years or so to buy a new home computer, but not in the corporate world.
So…you have software to which you’ve entrusted your business, and the creator of that software hasn’t updated it since 10.6?
Don’t you sometimes worry that it might be shot through with seven years of unpatched security holes? I think it’s fair to say that this “but the hardware/software was adequate back in 2007” attitude has at least some part to play in the spate of recent data breaches.
Two sides to this coin.
1) Manufacturers keep releasing new versions requiring users to buy new hardware/software and to update custom apps they’ve developed.
2) Manufacturers continue to update a single version, users are released from the treadmill.
Manufacturers love option 1. Users prefer option 2.
But it sounds like the OP has a manufacturer who is following the third side of the coin:
3) Have a single version and don’t do any updates. Who needs ’em?
Yes, Paul. You make SIX years ago sound like it was in 1947. Windows 7 was released in 2009, and only recently were businesses forced into it by Microsoft. I am not saying it is optimal, but changing the myriad of interdependent pieces of software at the whims of ONE vendor is often impossible. How hard would it be to patch an OS regularly, yet release a true new version every four or five years? Don’t tell me there is much of a perceptible difference between 10.9 and 10.10. I’d argue that on the business users side, their isn’t much of a perceptible difference between 10.6 and 10.10. Patch the OS and make it work and stop the endless revenue generating schemes of update after update.
Also, 10.7, which is NOT supported by this patch, is only 3 years old. Really?
Not sure what “corporate world” you operate in, but expecting what you seem to expect is patently ridiculous. I believe you will be perpetually disappointed in your corporate world.
Download an app called MacTracker – that will tell you whether you can upgrade your particular Mac to Yosemite or not!