Apple patches 144 security flaws across seven products

Patches are released for Mavericks, Mountain Lion, OS X Server and iTunes. A fix for the POODLE bug is included where appropriate. Most of the bugs are old ones in iTunes.
Written by Larry Seltzer, Contributor

In addition to OS X 10.10 Yosemite, Apple released a number of other software updates on Thursday, largely for security fixes: Security Update 2014-005 for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5; OS X Server versions 2.2.5, 3.3.2 and 4.0; and iTunes 12.0.1. In total, 144 separate vulnerabilities are addressed in these updates.

More security updates may be coming on Monday, October 20 when Apple releases iOS 8.1. Expect many of the bugs fixed in Yosemite also to be fixed in iOS.

Yosemite fixes 45 vulnerabilities across many parts of the operating system. Included is the fix for the Shellshock bug in the Bash shell, patched separately at the end of September. There is also a fix for the POODLE flaw in the design of the SSL version 3 protocol; Apple addressed it by disabling CBC cipher suites when TLS connection attempts fail.

Many of the other vulnerabilities are severe, allowing arbitrary code execution with high privileges, giving one user access to another's Kerberos tickets or letting a malicious Bluetooth device establish a connection without pairing.

At the same time, Apple released Security Update 2014-005 for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5. This update contains only two fixes, those for Shellshock and for POODLE. Presumably the other 43 vulnerabilities fixed in Yosemite apply at least to Mavericks, but they have not been fixed in the earlier versions of OS X, at least not yet.

iTunes 12.0.1 is the busiest update released today with 83 vulnerabilities fixed, all of them memory corruption issues in the WebKit browser engine. Apple has been collecting these vulnerabilities for some time; the vulnerabilities came from 15 different sources (including Apple) and 16 of them have CVE dates from 2013.

Apple released OS X Server 4.0 Thursday as well, fixing 18 vulnerabilities. Many are in third-party components such as PostgreSQL and Bind.

OS X Server versions 3.3.2 and 2.2.5 were also released, but these only include the TLS change to block the POODLE attack, not any of the other bugs in OS X Server.

Editorial standards