Apple Releases Security Updates for OS X, Safari, iOS and Apple TV

Original release date: January 27, 2015

Apple has released security updates for OS X, Safari, iOS and Apple TV to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system.

Updates available include:

  • OS X v10.10.2 and Security Update 2015-001 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10 and v10.10.1
  • Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1
  • iOS 8.1.3 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
  • Apple TV 7.0.3 for Apple TV 3rd generation and later

US-CERT encourages users and administrators to review Apple security updates HT204244, HT204243HT204245 and HT204246, and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Linux “Ghost” Remote Code Execution Vulnerability

Original release date: January 27, 2015

The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.

US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu and Red Hat. The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement.


This product is provided subject to this Notification and this Privacy & Use policy.


Highly critical “Ghost” allowing code execution affects most Linux systems

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.

Read 4 remaining paragraphs | Comments

Apple releases OS X 10.10.2 with a pile of security, privacy, and Wi-Fi fixes

Apple has just released the final build of OS X 10.10.2, the second major update for OS X Yosemite since its release. Version 10.10.1, published just a month after Yosemite's release, focused mostly on quick fixes for the new OS' most noticeable problems. Apple has been issuing betas for 10.10.2 since November, though, and a longer testing period usually implies that there are more extensive fixes.

First up, the new release is supposed to fix more of the Wi-Fi problems that some users have been experiencing since Yosemite's launch. 10.10.1 also included Wi-Fi fixes, though it apparently didn't resolve the problems for all. The new update will also address "an issue that may cause webpages to load slowly" and improve general stability in Safari, all of which should go a long way toward improving Yosemite's network and Internet performance.

Several privacy and security problems that we've reported on have been resolved in 10.10.2, as well. Though Apple will still share limited search and location information with Microsoft to enable Spotlight's Bing-powered Web searching feature, the company has fixed a bug that caused Spotlight to "load remote e-mail content" even when the setting was disabled in Mail.app itself. Our original report describes why this is a problem:

Read 3 remaining paragraphs | Comments