Apple's Yosemite 2015-003 Security Update Patches Hole in iCloud Keychain

Apple released security patch notes for Security Update 2015-003 for Yosemite Thursday evening. The software update went live with little information on its contents, but Apple's security page now indicates the update patches two issues that could allow the bad guys to take over your Mac.

The first is a problem with iCloud Keychain that could allow a malicious hacker with privileged access on your network—no mean feat in and of itself—to execute arbitrary code on your Mac. That's security-speak for install whatever they want and take over your Mac.

The second issue deals with IOSurface, an under-the-hood feature in OS X developers use. This hole also allowed hackers to execute arbitrary code on your Mac. Both are patches with Security Update 2015-003 for Yosemite and Security Update 2015-003 for Yosemite (Early 2015 Mac).

Apple also noted that this update includes the contents of Security Update 2015-002, which was released earlier in March.

Apple's security patch notes:

APPLE-SA-2015-03-19-1 Security Update 2015-003

Security Update 2015-003 is now available and addresses the
following:

iCloud Keychain
Available for:
OS X Yosemite v10.10.2
Impact: An attacker with a privileged network position may be able to execute arbitrary code
Description: Multiple buffer overflows existed in the handling of data during iCloud Keychain recovery. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2015-1065 : Andrey Belenko of NowSecure

IOSurface
Available for:
OS X Yosemite v10.10.2
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A type confusion issue existed in IOSurface's handling of serialized objects. The issue was addressed through additional type checking.
CVE-ID
CVE-2015-1061 : Ian Beer of Google Project Zero

Note: Security Update 2015-003 includes the content of Security Update 2015-002. For further details see "About Security Update 2015-002" at: https://support.apple.com/en-us/HT204413

You can download the security update through the Mac App Store.