Apple Patches Critical Backdoor Flaw in OS X 10.10.3

In addition to a number of updates in OS X 10.10.3, Apple is fixing vulnerabilities across its OS X operating system.

Apple security update

For months, Apple has been previewing the new Photos App, which has now officially landed in the new OSX 10.10.3 Yosemite update that first became generally available on April 8. The OS X 10.10.3 update also includes new emoji characters and improves WiFi performance. Perhaps even more noteworthy, though, is the volume of security updates that are included in the 10.10.3 milestone. Apple is patching a long list of vulnerabilities across its OS X operating system that were found by both internal Apple resources and external security researchers.

Among the security issues patched in OS X 10.10.3 is a security vulnerability in its administration framework. The issue, identified as CVE-2015-1130, was reported by security researcher Emile Kvarnhammar, CEO at TrueSec.

"The admin framework in Apple OS X contains a hidden backdoor API to root privileges," Kvarnhammar wrote in a blog post. "It's been there for several years (at least since 2011), I found it in October 2014, and it can be exploited to escalate privileges to root from any user account in the system."

While Apple has now fixed the CVE-2015-1130 in the 10.10.3 update for users of Apple's Yosemite OS 10.10 operating system, older OS X systems are also at risk. Kvarnhammar noted that Apple told him the fix required a substantial amount of changes and a patch would not likely be back-ported for OS X 10.9 and older.

"Our recommendation to all OS X users out there: Upgrade to 10.10.3 (or later)," Kvarnhammar wrote.

Apple also has nine patches in OS X 10.10.3 for various OS X kernel vulnerabilities. Among the patched kernel flaws is CVE-2015-1103, which was discovered by Zimperium Mobile Security Labs. According to Apple's advisory, the flaw could have enabled an attacker to redirect user traffic to arbitrary hosts.

"ICMP (Internet Control Message Protocol) redirects were enabled by default on OS X," Apple's advisory states. "This issue was addressed by disabling ICMP redirects."

Google's Project Zero security research team is also well-represented on the Apple OS X 10.10.3 patch list and is credited with reporting seven vulnerabilities. Five of the Google Project Zero vulnerabilities are found in the Apple Type Service (ATS) component of OS X. The impact of the issues is that arbitrary code could have been executed. The other two of the Google Project Zero issues are found in the IOHIDFamily, a library of human interface interactions. The IOHDFamily is being patched for six different vulnerabilities.

Apple is now providing its users with an updated version of the open-source OpenSSL cryptographic library for Secure Sockets Layer/Transport Layer Security (SSL/TLS). The new OpenSSL version 0.9.8zd fixes six vulnerabilities.

Apple is also providing its OS X users with the Safari 8.0.5 update. Seven security updates in the Safari browser are specifically for the WebKit rendering engine.

One particularly nasty flaw fixed in Safari is CVE-2015-1129, an SSL/TLS tracking issue. According to Apple, the vulnerability could have enabled users to be tracked by malicious Websites using client certificates.

"An issue existed in Safari's client certificate matching for SSL authentication," Apple warned in its advisory. "This issue was addressed by improved matching of valid client certificates."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.