A very quick note to say, “Looks like Apple missed some holes last week.”
Just before Microsoft’s March 2015 Update Tuesday, Apple pushed out a raft of updates, covering Apple TV, iOS and OS X.
The iOS update was way more than just security fixes, being a full point release weighing in at 0.5GB, and including features added specifically to support the brand-new Apple Watch.
But the 09 March 2015 update for OS X was officially listed as Security Update 2015-002, and came as a fast and easily-applied 5MB download.
Unfortunately, it looks as though two of the critical patches in 2015-002 now need patching themselves.
That’s because Security Update 2015-003 was just announced, re-patching bugs known as CVE-2015-1061 and CVE-2015-1065 that were supposedly already fixed.
Interestingly, CVE-2015-1061 was one of the patches we focused on in our report of the previous updates.
That was a hole in the Apple IOSurface programming framework.
Ironically, IOSurface is “commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security,” as Apple describes it.
But in this case, a bug in IOSurface itself opened up a security hole.
That IOSurface vulnerability was shared amongst OS X, iOS and Apple TV, all of which received patches for it.
So you probably want to keep your eye open in case corresponding “patch patches” come out for iOS and Apple TV, too.
Additionally, while you’re about it, make sure you have Safari 8.0.4, which fixes numerous security holes in Apple’s browser. (The Safari update came out between 2015-002 and 2015-003.)
To make sure you have the latest OS X patches, go to to Apple Menu | App Store... and click on Updates.