With Macs continuing to expand in the enterprise, and our increased focus on Mac patching, we are overdue to provide analysis on OS X updates as we do with those on Microsoft and third-party vendors on Patch Tuesday. Apple released a number of updates on March 21 that impact Mac OS X, including El Capitan 10.11.4, Security Update 2016-002 for Mavericks 10.9.5 and Yosemite 10.10.5, Safari 9.1, Xcode 7.3, and OS X Server 5.1. In total,
Before diving into the analysis, it is clear that Apple is much less transparent about their security than Microsoft and other vendors. While listing the Common Vulnerabilities and Exposures (CVE) IDs for their vulnerabilities, they did not reveal much information for proprietary components in the CVEs making it difficult to assess risk. Yet, analyzing the impact descriptions for their fixes gives one a sense of the risk.
OS X 10.11.4 and Security Update 2016-002
The last OS X security update was in mid-January and the latest brings fixes to 59 vulnerabilities. Interestingly, 36 of the vulnerabilities fixed were only fixed in El Capitan. Looking through the fixes that apply to Mavericks and Yosemite, they include vulnerabilities that allow malicious PNG and XML files to run arbitrary code and such vulnerabilities are prime candidates for phishing attacks. Among the El Capitan-only fixes was a fix in the FontParser for a vulnerability that could allow a malicious PDF to run arbitrary code that, again, is a prime candidate for phishing and other social engineering techniques. While it isn’t clear if this vulnerability, and others only fixed on El Capitan 10.11, are also found in older versions of OS X. The clear gap in fix applicability suggest that organizations should always update to the latest version of Mac OS X, and not just the latest security update. There were many other types of vulnerabilities fixed across numerous OS X components that have lower risk exposure, but bottom line is one should update their Macs to secure all exposures.
Safari 9.1 is available for Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11 to 10.11.3 (it’s included in 10.11.4). There where 12 vulnerabilities fixed, including three where arbitrary code could be executive through malicious XML or web content. These alone are a reason to upgrade. Other vulnerabilities compromise privacy, create denial of service, enable UI spoofing, or provide access to restricted ports. Safari 9.1 includes numerous new features that are the motivation for users to update and drag security fixes along.
For developers, there is Xcode version 7.3 that fixed three vulnerabilities across two components: otool and subversion. The subversion vulnerabilities are the most significant where connection to a malicious server could allow arbitrary code execution. There were many new features in Xcode 7.3, like support for iOS 9.3, watchOS 2.2, tvOS 9.2, along with other improvements. Most developers will update for those features alone. However, the security fixes should be reason unto their own.
OS X Server 5.1
For those not familiar, OS X Server is an application that can be downloaded from the App Store (for $19.99 in the US) to enable server capabilities like website hosting, wikis, backups, file sharing, and many other features.
There were four vulnerabilities fixed in OS X Server that address RC4 exploits, access to sensitive information remotely, and storing backups on a volume without permissions enabled.
Apple is one of the best companies around for getting people to adopt new components by driving new features, interesting users and wrapping security in with the release. Most Apple users have grown accustomed to updating their devices when prompted. That said, it is still important to assess compliance and update systems in your organization to ensure there are no lingering risks.