Apple has always had a shaky track record when it comes to taking user security seriously. That reputation was reinforced this week after Apple released a “repatch” for a security patch released last week.
That repatch was released as a follow-up to last week’s critical security update. Apple reportedly found a pair of flaws that were still exploitable on patched systems.
The problem is: the initial security patch – called 2015-002 – was specifically designed to fix the two critical flaws, which included a man-in-the-middle vulnerability and type confusion error in OS X Yosemite 10.10.2.
Anyways, Apple has released the 2015-003 security update. This time, Apple promises the update fixes all of the problems that it was supposed to fix last week.
How Do the Security Flaws Work?
Apple’s security flaws were labelled as CVE-2015-1065 and CVE-2015-1061. The first issue was discovered by a researcher at NowSecure. It concerns the handling of iCloud Keychain data during recovery. Specifically, an attacker can get between a vulnerable Mac and its network connection to create buffer overflow errors, thus allowing for arbitrary code execution.
The second flaw is related to a type confusion error in the Yosemite IOSurface developer tool, which prevents proper handling of serialized objects. Malicious software can exploit this vulnerably, forcing the targeted Mac to execute code with system privileges. That second vulnerability was discovered by a member of Google Project Zero and reported to Apple.
What to Do If You’re Affected
You can download a fix for your Mac through the OS X App Store or by enabling automatic updates under your system options menu.