Apple Updates OS X 10.10 to Patch Security Vulnerabilities

In OS X 10.10.5, Apple patches multiple issues, including one first publicly disclosed in July.


Apple has come out with what could be its last major update to OS X 10.10 before the release of OS X 10.11 "El Capitan" next month. OS X 10.10.5 is largely a security update, as it includes patches for issues that have already been publicly disclosed.

One of those issues, CVE-2015-3760, is a vulnerability in the dyld dynamic linker that SektionEins security researcher Stefan Esser publicly disclosed in July. At the time, Esser explained that the "DYLD_PRINT_TO_FILE" environment variable enabled error logging to an arbitrary files and lacked proper safeguards, making it potentially exploitable by an attacker.

Apple's advisory states that the potential impact of the dyld issues is that a local user may be able to execute arbitrary code with system privileges, due to a path validation issue. With the OS X 10.10.5 update, Apple added improved environment sanitization to correct the issue.

Though Esser publicly disclosed the issue prior to the patch, which is generally frowned upon in the security business, Apple still credits him with the original discovery.

"I did not expect at all being credited for DYLD_PRINT_TO_FILE after dropping it publicly," Esser wrote in a Twitter message.

Also as part of the OS X 10.10.5 update, Apple is including 11 fixes for memory corruption issues in QuickTime 7 that could have led to arbitrary code execution. Ryan Pentney and Richard Johnson of Cisco's Talos research group reported five of the QuickTime issues to Apple.

"Several memory corruption vulnerabilities exist in Apple Quicktime and can manifest themselves due to improper handling of objects in memory," Cisco stated in an advisory. "An adversary who crafts a specifically formatted .MOV file can cause Quicktime to terminate unexpectedly, creating a local denial of service condition."

There is also an interesting fix for a security issue in Apple's CloudKit technology that powers the iCloud system. Apple's iCloud service came under intense scrutiny in September 2014, when Hollywood celebrities had their accounts hacked and private data was leaked publicly. The CloudKit issue patched in OS X 10.10.5 is identified as CVE-2015-3782 and was reported to Apple by Deepkanwal Plaha of the University of Toronto.

"A malicious application may be able to access the iCloud user record of a previously signed in user," Apple warned in its advisory.

On the somewhat less serious, but still noteworthy side of things, there is an update for Apple's Dictionary application for a security issue identified as CVE-2015-3774.

"An attacker with a privileged network position may be able to intercept users' Dictionary app queries," Apple warned. "This issue was addressed by moving Dictionary queries to HTTPS."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.