About a week ago, Apple patched three vulnerabilities in iOS that had been used in a targeted exploit. This set of vulnerabilities, also known as "Trident," affected WebKit and the iOS kernel. Given the substantial code overlap between iOS and OS X, and in particular the fact that one of the vulnerabilities affected WebKit, it is no surprise that OS X and Safari are vulnerable as well.

Yesterday, Apple released a patch of OS X and Safari to address these issues.

The OS X update, which is only available for El Capitan and Yosemite, fixes the two kernel vulnerabilities. The Safari update which is available for OS X Mavericks and Yosemite (not the latest version, El Capitan), fixes the WebKit vulnerability.

I recommend patching these quickly given that the same vulnerabilities have already been exploited for iOS.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn