Apple closes a raft of “drive-by download” holes in OS X and iOS

If you’re one of those people who waits for the first update to an update before you install it…

…and you’re also an OS X or an iOS user, then your number’s just been called.

In a flurry of Security Advisories published this week [2015-10-21] by Apple, the following security-oriented updates were announced:

  • OS X El Capitan 10.11.1
  • iOS 9.1
  • watchOS 2.0.1
  • OS X Server 5.0.15

Additionally, iTunes goes to 12.3.1; Safari goes to 9.0.1; and, for programmers, Xcode goes to 7.1.

Interestingly, the iTunes security advisory applies only to Windows – on the Mac, it seems, it’s funky new features only.

Pre-Capitan versions of OS X get their own security fixes in Update 2015-007 and Mac EFI Security Update 2015-002.

As usual, head over to the App Store for the fixes: Apple Menu | App Store... | Updates.

Or, if you’re like me, you may want to get the OS X El Capitan point release as a disk image, just in case you need to reinstall the base operating system, or if, unlike me, you have a whole stash of Macs and don’t want each one of them to have to fetch the update from the App Store.

Bandwith planner: iOS 9.1 will cost you about 0.3GB and OS X 10.11.1 about 1.1GB. Xcode 7.1, despite being a point release, is an “all-over-again” download, at just a shade over 2GB.

The security patches include a large number of remote code execution (RCE) holes that could, in theory, be triggered by booby-trapped objects of numerous sorts, including:

  • Web pages
  • Audio files
  • Fonts
  • Disk images
  • Packages (.pkg) files
  • Images
  • AppleScripts

Once again, well done to Apple for pushing out fixes quickly, given that it’s less than a month since El Capitan came out, and just over a month since iOS 9 hit the airwaves.

And to all those Apple fans who live by the rule, “If malware hits your Mac, you’ll always see a prompt or some kind of warning first…”

…the whole problem with an RCE attack caused by booby-trapped content is that just looking at a file, or opening a file that contains embedded data such as a font or an image, is usually enough to give control to the crooks.

It’s called a drive-by install or a drive-by download for obvious reasons: you think you are safely “Just Visiting,” as the Monopoly board puts it, but the crooks end up owning you!

Monopoly board JUST VISITING image by txking, courtesy of Shutterstock.

Leave a Reply