Apple has patched two security bugs (CVEs) in OS X Yosemite today with the release of Security Update 2015-003. The security update addresses flaws in iCloud Keychain in Apple OS X through 10.10.2, as well as other flaws related to arbitrary code execution affecting IOSurface.
Security Update 2015-003 is available for OS X Yosemite 10.10.2.
Apple’s security notice describes the patched vulnerabilities as follows:
- CVE-2015-1065 : An attacker with a privileged network position may be able to execute arbitrary code. Multiple buffer overflows existed in the handling of data during iCloud Keychain recovery. These issues were addressed through improved bounds checking.
- CVE-2015-1061 : A malicious application may be able to execute arbitrary code with system privileges. A type confusion issue existed in IOSurface’s handling of serialized objects. The issue was addressed through additional type checking.
OS X Yosemite users can update through Apple’s Software Update tool by choosing Apple menu > Software Update when you’re ready to install, or you can go directly to Apple’s support page to download the updates from there.
Note that Security Update 2015-003 also includes the content of Security Update 2015-002, which offered patches for the FREAK vulnerability for OS X, Apple TV and iOS.