Apple fixes loads of security holes in OS X, iOS, Apple TV, Safari

Apple’s latest tranche of updates has shipped.

The OS X update for Yosemite (10.10.3) excitedly announces the arrival of a brand new photo application.

It’s a successor to the venerable iPhoto software, sporting the imaginative name, wait for it, of…


The biggest drawcard of Photos seems to be a feature that could be both a security blessing and a curse, namely 5GB of free photo storage on Apple’s iCloud servers.

(Paid photo storage plans, apparently, go up to a mammoth 1TB, but your first 5GB is free.)

You’ll have free off-site backup, but there’s the concomitant extra risk of other people getting access to your private images as well.

The security fixes

As usual, however, it is the security fixes that are the compelling reason to grab these updates sooner rather than later, whether you are ready to leave iPhoto behind for Photos or not.

You can find all the gory details here:

• OS X 10.10.3 (10.10 Yosemite): HT204659

(Get a standalone installer at DL1805. Size: 1.4GB.)

• Security Update 2015-004 (10.9 Mavericks): HT204659

(Get a standalone installer at DL1803. Size: 112MB.)

• Security Update 2015-004 (10.8 Mountain Lion): HT204659

(Get a standalone installer at DL1802. Size: 176MB.)

• iOS 8.3: HT204661

(Get it from your device using Settings | General | Software Update. Size: 291MB.)

• Apple TV 7.2: HT204662

(Get it via Apple TV.)

• Safari 6.2.5, 7.1.5, 8.0.5: HT204658

(Get it via Apple Menu | App Store.)

Note that the Yosemite update, being a point release, includes Safari 8.0.5.

Also, if you like to fetch Apple’s Combo Updates whenever a point release comes out, you will find the relevant download for OS X 10.10.3 at DL1804. (Size: 1.9MB.)

Combo Updates bundle in all previous point releases, so that you can use the 10.10.3 Combo to jump straight from the original OS X Yosemite 10.10 to the most recent version.

You don’t first have to install 10.10.1, reboot, and then install 10.10.2 and reboot again before applying 10.10.3.

That’s very handy if ever you need or want to do a fresh OS X install.

It means you can more easily bring yourself right up to date with security fixes, including fixes for Safari, before you go online for the first time.

What was fixed?

The list of software components fixed in the various updates is extensive.

Rather than go into all the details, we’ll just encourage you towards grabbing the updates by pointing out that the holes fixed include:

  • Remote code execution (RCE). Opening a booby-trapped file or browsing to a malicious web page could lead to implanted malware, stolen data and a hijacked computer.
  • Security bypasses. Files you might expect to be kept away from prying eyes might be visible; secrets useful for further attacks (such as memory addresses used by the operating system) might be revealed.
  • Denial of service. A crook could force your computer to shut down without warning.
  • Data leakage. Passwords, private browsing data and application screenshots could be revealed.

More Lock Screen bugs

The most intriguing bugs, if we’re allowed to pick “favourites,” are probably two Lock Screen holes in iOS.

Your phone’s Lock Screen is very important, because it’s your main and immediate defence if your phone is lost, stolen, or even just picked up at the pub by an inquisitive (and improperly-behaved) friend or colleague.

The idea is that your Lock Screen can be configured to:

  • Kick in automatically when you aren’t using your phone. (Make the timeout as short as you can tolerate, e.g. 2 minutes.)
  • Require an unlock PIN or password. (Go as far beyond the minimum complexity of 4 digits as you can tolerate, e.g. 8 digits or a phrase.)
  • Automatically zap the data on your phone after 10 wrong passwords. (Don’t let young kids play with your work phone. It’s not a toy.)

Phones from Apple and other vendors have had a disappointing array of Lock Screen bugs in recent times, and the iOS 8.3 update fixes two more.

Uncovered by researchers at the University of Technology, Sydney, vulnerability CVE-2015-1107 means that the last-mentioned Lock Screen defence above might fail to trigger.

That could leave your phone unwiped even after a crook has exhausted his guesses.

And Lock Screen vulnerability CVE-2015-1108 means that the crook might be able to keep on guessing anyway, even after he’s supposed to have been shut out.

Convinced about updating yet?

We are: our updates are downloading as we speak!