Apple Unveils OS X 10.11 With Long List of Security Fixes

Apple debuts a new Mac operating system, OS X 10.11, which offers some new features and locks down security.

Apple security

Apple today released its OS X 10.11 El Capitan desktop operating system, providing users with incremental new features and a long list of security patches.

The 10.11 update follows Apple's mobile iOS 9 update that debuted Sept. 16 and includes some of the same security patches. One such example is in the CFNetwork component, which provides core networking technologies to iOS and OS X. Apple patched CVE-2015-5858, a Web address parsing flaw in handling HSTS (HTTP Strict Transport Security) in iOS 9 nearly two weeks ago and is now rolling the same patch out in OS X 10.11.

Another example of an issue fixed first in iOS 9 is CVE-2015-5874, which security researcher John Villamil of the Yahoo Pentest Team reported to Apple.

"Processing a maliciously crafted font file may lead to arbitrary code execution," an Apple advisory states. "This issue was addressed through improved input validation."

The last major security update for OS X prior to today was the 10.10.5 update on Aug. 13 that came out the same day as the iOS 8.4.1 security update. Similarly, the OS X 10.10.4 update on June 30 was issued on the same day as the iOS 8.4 update. With those two updates, there were also multiple common patches across shared application libraries used on both the desktop and mobile operating systems.

While there are many common elements across iOS and OS X for security, there are also many unique elements. Among the new patches only in OS X 10.11 is CVE-2015-5836, a fix for a vulnerability in the Apple Online Store Kit.

"A malicious application may gain access to a user's keychain items," Apple warned. "This issue was addressed through improved access control list checks."

A similar, though technically different, issue was patched in iOS 9 with CVE-2015-5832, a flaw in the iTunes Store component.

Another unique issue patched in OS X 10.11 is CVE-2015-5913, a flaw in the Heimdal Kerberos 5 implementation for security credentials. The flaw was reported to Apple by security researchers working for rival operating system vendor Microsoft."An attacker may be able to replay Kerberos credentials to the SMB server," Apple advises. "This issue was addressed through additional validation of credentials using a list of recently seen credentials."

OS X 10.11 also is being patched for multiple security vulnerabilities in the IOgraphics stack. Somewhat ironically, the majority of the IOGgraphics vulnerabilities were reported to Apple by security researcher Ilja van Sprundel, who works for a security company called IOActive.

"Multiple memory corruption issues existed in the kernel," Apple's advisory states. "These issues were addressed through improved memory handling."

Also somewhat ironically is the CVE 2015-3785 patch for OS X 10.11 for a telephony vulnerability that isn't present on iOS 9 although it relies on a user having both an iPhone as well as a Mac desktop.

Dan Bastone, a security researcher at Gotham Digital Science, first reported the CVE-2015-3785 issue to Apple on May 25. According to Bastone, Apple first patched the CVE-2015-3785 issue with the OS X 10.10.5 update in August, though it was not publicly disclosed at the time. Bastone blogged that there is a bypass for the Apple fix identified as CVE-2015-5897, which also is patched in the 10.11 update.
"When an OS X system and an iPhone have been properly configured, Continuity allows phone calls and SMS [Short Message Service texts] to be placed and received on OS X and routed through the iPhone using the mobile carrier’s network," Bastone blogged.
According to Apple's advisory on CVE-2015-3785, a local attacker can place phone calls without the user's knowledge when using Continuity.

"This issue was addressed through improved authorization checks," Apple stated.

The bypass issue identified by Bastone is CVE-2015-5897, which Apple has listed as an Address Book vulnerability.

"A local attacker may be able to inject arbitrary code to processes loading the Address Book framework," Apple's advisory states. "This issue was addressed through improved environment variable handling."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.