Apple OS X 10.10.2 Bashes Bugs

Apple updates Yosemite for the Thunderstrike hardware vulnerability, which was among 54 patched flaws.

Apple Yosemite patch

Apple released its OS X 10.10.2 update on Jan. 27, providing users with fixes for 54 identified Common Vulnerabilities and Exposures (CVEs). Among the fixed vulnerabilities are updates for issues identified by Google's Project Zero malware research organization, as well as the so-called Thunderstrike hardware vulnerability.

In December 2014, security researcher Trammel Hudson publicly demonstrated Thunderstrike (also identified as CVE-2014-4498) as a vulnerability that enables an attacker to infect a Mac OS X machine by way of the Thunderbolt peripheral port.

"Thunderbolt devices could modify the host firmware if connected during an EFI [Extensible Firmware Interface] update," Apple warned in its advisory. "This issue was addressed by not loading option ROMs during updates."

Google researchers have been actively looking at OS X security in recent months as part of the Project Zero effort that was revealed in July 2014. Project Zero has a policy of publicly disclosing flaws 90 days after they have been reported to a vendor. That policy has led Project Zero to disclose multiple zero-day flaws in Microsoft products.

In the OS X 10.10.2 update, Apple credits Google Project Zero researchers for the discovery of 12 vulnerabilities (CVE-2014-8817, CVE-2014-8819, CVE-2014-8820, CVE-2014-8821, CVE-2014-4486, CVE-2014-4389, CVE-2014-8823, CVE-2014-4495, CVE-2014-4492, CVE-2014-8835, CVE-2014-8836 and CVE-2014-8817).

Three of the vulnerabilities (CVE-2014-8819, CVE-2014-8820 and CVE-2014-8821) reported by Google's Project Zero affect the Intel graphics driver used in OS X.

"Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges," Apple warned.

Among the other interesting vulnerabilities that Google's Project Zero reported that are fixed in OS X 10.10.2 is CVE-2014-8836, a flaw in OS X's Bluetooth driver.

"An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory," Apple warned in its advisory. "The issue was addressed through additional input validation."

Google's Project Zero isn't the only research group that found Bluetooth vulnerabilities in Apple's operating system. Roberto Paleari and Aristide Fattori of Emaze Networks are credited by Apple for reporting CVE-2014-8837.

"Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege," Apple's advisory stated.

The open-source Bash (Bourne Again SHell) was the subject of much scrutiny in 2014, due to the Shellshock vulnerability that could have enabled system exploitation. OS X 10.10.2 provides updates for three Bash issues (CVE-2014-6277, CVE-2014-7186 and CVE-2014-7187) that could have potentially enabled a local attacker to execute arbitrary code.

The open-source OpenSSL cryptographic library was also the subject of scrutiny in 2014, due to the Heartbleed flaw, which could have enabled an attacker to decipher encrypted communications. In OS X 10.10.2, Apple is updating OpenSSL for three vulnerabilities (CVE-2014-3566, CVE-2014-3567 and CVE-2014-3568) as part of the update to OpenSSL version 0.9.8zc.

Apple is also updating its Safari browser to version 8.0.3, fixing four memory corruption vulnerabilities in the WebKit rendering engine.

The Apple 10.10.2 update is the first incremental update for OS X 10.10 Yosemite since the 10.10.1 update, which provided four security fixes, was released on Nov. 17, 2014.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.