Security Update 2015-005 for OS X Mavericks & Mountain Lion Available
Mac users on OS X Mavericks 10.9.5 and OS X Mountain Lion 10.8.5 will find two important software updates available to them, labeled as Security Update 2015-005 and Mac EFI Security Update 2015-001. The updates include patches and fixes to significant potential security issues and are therefore recommended for all Mac users running Mavericks and Mountain Lion to install. For Macs running Yosemite, the OS X Yosemite 10.10.4 update includes the same set of security fixes, and a separate update is not required.
Mac users running OS X 10.9 and OS X 10.8 will be able to find the EFI update and Security Update available now in the Software Update mechanism of OS X, accessible from the Apple menu > Software Update. The Mac will need to reboot to complete the installation. As always, back up a Mac before performing any system software update.
The individual security updates can also be downloaded directly from Apple at the links below:
The release notes for Security Update 2015-005 are rather long but can be read here on Apple.com.
Meanwhile, release notes for the EFI update are fairly brief, as follows:
Mac EFI Security Update 2015-001
• EFI Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application with root privileges may be able to modify EFI flash memory Description: An insufficient locking issue existed with EFI flash when resuming from sleep states. This issue was addressed through improved locking. CVE-ID CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah and Corey Kallenberg of LegbaCore LLC, Pedro Vilaça
• EFI Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may induce memory corruption to escalate privileges Description: A disturbance error, also known as Rowhammer, exists with some DDR3 RAM that could have led to memory corruption. This issue was mitigated by increasing memory refresh rates. CVE-ID CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working from original research by Yoongu Kim et al (2014)