While the world's focus on Apple today might be on the release of its new streaming music service, the company also pushed out a host of security fixes for exploits, flaws, and — shall we say — politically difficult situations of the last few months. iOS 8.4 and OS X 10.10.4 should make users safer, pending testing by outside researchers.
EFI update patch fixed
In June, a researcher revealed a problem with Apple's version of EFI (Extensible Firmware Interface), the bootstrapping software — like BIOS once was for PCs — that activates on power-up or restart to perform hardware tests and then loads the operating system. On awaking his Mac from sleep, the researcher found he could potentially modify the EFI firmware, which is otherwise cryptographically protected. The modified firmware could carry out all sorts of insidious behavior and evade detection and easy removal.
The researcher said he believed this affected Macs made only in mid-2014 or earlier, and that it was possible Apple had fixed it in newer models. Apple's Mac EFI Security Update 2015-001 is available for Mountain Lion (10.8.5) and Mavericks (10.9.5) as well as Yosemite. Specific models aren't noted, and Yosemite can run on some Mac models released as far back as 2007, so the update would be required on older Macs even if newer hardware had improved firmware.
The update also mitigates the Rowhammer bug, in which malware could compromise the integrity of values stored in DRAM, and gain access to all memory and thus take over a system. Apple solved the problem through the relatively obscure matter of increasing the rate at which memory is refreshed.
According to Net Applications, about 14 percent of Macs in April 2015 were using a version of OS X older than Mountain Lion. While that's still millions of Macs, the number is declining every day, and it's unlikely attackers would focus on a smaller and shrinking user base, especially one that requires carefully crafted and remotely delivered malware or physical proximity to a computer.
Mail's refresh ability
A seeming bug in iOS's Mail app allowed a specially crafted HTML message to force Mail to load an arbitrary Internet-hosted webpage. While Mail filters many kinds of behavior, a researcher found that it didn't restrict the use of a "refresh" command in a Meta tag used in the header portion of an HTML email. This led to a proof-of-concept in which an email message pulled in a page that display a formatted prompt that looked like an iCloud login.
Sign up for CIO Asia eNewsletters.