Apple closes a raft of “drive-by download” holes in OS X and iOS

If you’re one of those people who waits for the first update to an update before you install it…

…and you’re also an OS X or an iOS user, then your number’s just been called.

In a flurry of Security Advisories published this week [2015-10-21] by Apple, the following security-oriented updates were announced:

  • OS X El Capitan 10.11.1
  • iOS 9.1
  • watchOS 2.0.1
  • OS X Server 5.0.15

Additionally, iTunes goes to 12.3.1; Safari goes to 9.0.1; and, for programmers, Xcode goes to 7.1.

Interestingly, the iTunes security advisory applies only to Windows – on the Mac, it seems, it’s funky new features only.

Pre-Capitan versions of OS X get their own security fixes in Update 2015-007 and Mac EFI Security Update 2015-002.

As usual, head over to the App Store for the fixes: Apple Menu | App Store... | Updates.

Or, if you’re like me, you may want to get the OS X El Capitan point release as a disk image, just in case you need to reinstall the base operating system, or if, unlike me, you have a whole stash of Macs and don’t want each one of them to have to fetch the update from the App Store.

Bandwith planner: iOS 9.1 will cost you about 0.3GB and OS X 10.11.1 about 1.1GB. Xcode 7.1, despite being a point release, is an “all-over-again” download, at just a shade over 2GB.

The security patches include a large number of remote code execution (RCE) holes that could, in theory, be triggered by booby-trapped objects of numerous sorts, including:

  • Web pages
  • Audio files
  • Fonts
  • Disk images
  • Packages (.pkg) files
  • Images
  • AppleScripts

Once again, well done to Apple for pushing out fixes quickly, given that it’s less than a month since El Capitan came out, and just over a month since iOS 9 hit the airwaves.

And to all those Apple fans who live by the rule, “If malware hits your Mac, you’ll always see a prompt or some kind of warning first…”

…the whole problem with an RCE attack caused by booby-trapped content is that just looking at a file, or opening a file that contains embedded data such as a font or an image, is usually enough to give control to the crooks.

It’s called a drive-by install or a drive-by download for obvious reasons: you think you are safely “Just Visiting,” as the Monopoly board puts it, but the crooks end up owning you!

Monopoly board JUST VISITING image by txking, courtesy of Shutterstock.