Security Update 2015-003 for OS X Yosemite Released
Apple has released an important security update for OS X Yosemite users. Labeled as “Security Update 2015-003 1.0, the update is available to all Macs running OS X Yosemite 10.10.2.
The easiest way to install the update is through the Mac Software Update mechanism, accessible from the Apple menu > App Store > Updates tab.
The update should appear automatically, but refreshing the App Store can be helpful if it does not show up. You may find a recent security update to Safari as well. It is recommended to start a backup with Time Machine before installing. Altenratively, Mac users can download the update directly from Apple, though you’ll want to be sure to pick the proper version (curiously, there’s a general version available and one specific to early 2015 Mac models):
The update is recommended for all OS X Yosemite users to install, as it improves the security of OS X against several potential issues. The update also includes security fixes from the prior Security Update, for those users who have slacked on installing that one for whatever reason.
Specifically, the detailed release notes for Security Update 2015-003 1.0 for OS X Yosemite are as follows:
Security Update 2015-003
• iCloud Keychain Available for: OS X Yosemite v10.10.2 Impact: An attacker with a privileged network position may be able to execute arbitrary code Description: Multiple buffer overflows existed in the handling of data during iCloud Keychain recovery. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-1065 : Andrey Belenko of NowSecure
• IOSurface Available for: OS X Yosemite v10.10.2 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A type confusion issue existed in IOSurface’s handling of serialized objects. The issue was addressed through additional type checking. CVE-ID CVE-2015-1061 : Ian Beer of Google Project Zero
It’s a good idea to always start a back up of a Mac before installing software updates, even small security updates like this.