Last Updated: 2014-10-17 12:42:04 UTC
by Johannes Ullrich (Version: 1)
Apple yesterday released the latest version of its operating system, OS X 10.10 Yosemite. As usual, the new version of the operating system does include a number of security related bug fixes, and Apple released these fixes for older versions of OS X today.
This update, Security Update 2014-005 is available for versions of OS X back to 10.8.5 (Mountain Lion).
Among the long list of fixes, here a couple of highlights:
Apple doesn't turn off SSLv3 in this release, but restricts it to non-CBC ciphers, limiting its exposure to attacks like POODLE and BEAST. The list of trusted certificate authorities has also been updates 
802.1x no longer supports LEAP by default due to weaknesses in this authentication method.
The bash fix, that was released as a standalone fix earlier to counter "Shellshock", is included in this update.
An arbitrary code execution vulnerability in CUPS was fixed. (CVE-2014-3537)
And a quick note about OS 10.10 Yosemite:
After installing it, all security relevant settings I checked where untouched (good!). Among security relevant software, GPGMail will not work with Yosemite yet, but according to the developers, a fix is in the work and may be release in a few weeks, but GPGMail may no longer be free. If you rely on software that you compiled with MacPorts: Wait for the release of XCode 6.1, as it is required to recompile the software for OS X 10.10. In general, it is adviced that you FIRST update all your software and then upgrade to Yosemite. Little Snitch, another popular piece of security software for OS X, works well with Yosemite, but I recommend you turn off the network filter during the upgrade (it works with it enabled, but you need to approve a lot of new connections from new software).