Apple Unveils OS X 10.11 With Long List of Security Fixes
Apple debuts a new Mac operating system, OS X 10.11, which offers some new features and locks down security.Apple today released its OS X 10.11 El Capitan desktop operating system, providing users with incremental new features and a long list of security patches. The 10.11 update follows Apple's mobile iOS 9 update that debuted Sept. 16 and includes some of the same security patches. One such example is in the CFNetwork component, which provides core networking technologies to iOS and OS X. Apple patched CVE-2015-5858, a Web address parsing flaw in handling HSTS (HTTP Strict Transport Security) in iOS 9 nearly two weeks ago and is now rolling the same patch out in OS X 10.11. Another example of an issue fixed first in iOS 9 is CVE-2015-5874, which security researcher John Villamil of the Yahoo Pentest Team reported to Apple. "Processing a maliciously crafted font file may lead to arbitrary code execution," an Apple advisory states. "This issue was addressed through improved input validation."
The last major security update for OS X prior to today was the 10.10.5 update on Aug. 13 that came out the same day as the iOS 8.4.1 security update. Similarly, the OS X 10.10.4 update on June 30 was issued on the same day as the iOS 8.4 update. With those two updates, there were also multiple common patches across shared application libraries used on both the desktop and mobile operating systems.
"When an OS X system and an iPhone have been properly configured, Continuity allows phone calls and SMS [Short Message Service texts] to be placed and received on OS X and routed through the iPhone using the mobile carrier’s network," Bastone blogged.
According to Apple's advisory on CVE-2015-3785, a local attacker can place phone calls without the user's knowledge when using Continuity. "This issue was addressed through improved authorization checks," Apple stated. The bypass issue identified by Bastone is CVE-2015-5897, which Apple has listed as an Address Book vulnerability. "A local attacker may be able to inject arbitrary code to processes loading the Address Book framework," Apple's advisory states. "This issue was addressed through improved environment variable handling." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.