Apple OS X 10.10.1 Fixes Four Vulnerabilities
Apple released its first incremental update for its new OS X 10.10 Yosemite operating system on Nov. 17, providing users with four security fixes, only one of which is rated as being critical.
OS X 10.10 Yosemite was officially released by Apple on Oct. 16 alongside the 10.9.5 security update for the OS X Mavericks operating system with a fix for the Secure Sockets Layer (SSL) POODLE vulnerability.
For OS X 10.10.1, the only critical security update is CVE-2014-4459, a remote code execution vulnerability in the WebKit rendering engine.
"A use after free issue existed in the handling of page objects," Apple's advisory states. "This issue was addressed through improved memory management."
What is particularly interesting about the CVE-2014-4459 issue is that, to the best of my knowledge, this is the first time this issue has been reported and fixed. With many WebKit vulnerabilities, Google has typically been first to report and often fix the issue. Google leverages components of WebKit as part of its own Blink rendering engine, used in the Chrome Web browser.
The other three issues fixed by the OS X 10.10.1 update are all rated as being important by Apple, and all three represent potential information leakage risks.
CVE-2014-4460 is a vulnerability that could impact Apple Safari users employing the Private Browsing mode in the browser. With Private Browsing, the promise is that history and cookie information is deleted when the browsing session ends. With the CVE-2014-4460 flaw, which Apple has now patched, the Website cache may not be properly and fully cleared when a user leaves the Private Browsing mode.
One of the major improvements introduced in OS X 10.10 Yosemite is a more effective Spotlight search tool that shows users search information from their own device as well as the Web. The CVE-2014-445 vulnerability is an information leakage issue whereby unnecessary information was being shared from the user's machine and Apple's Spotlight Suggestions servers.
"The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query," Apple's advisory states. "This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries."
Apple's sensitivity to unnecessary information disclosure is further highlighted by the CVE-2014-4458 vulnerability that impacts the Apple system profiler tool.
"The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies," Apple's advisory states.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.