You probably remember that last week, Apple urged all iOS 9 users to update their devices to iOS 9.3.5, which contained an essential security fix. (If you haven’t done that, go do it now!)
On Thursday, Apple provided another set of security updates, this time for the Mac. Security Update 2006-001 for El Capitan, and Security Update 2006-005 for Yosemite are rolling out now, so keep an eye on the Mac App Store and update as soon as you can. Also available is Safari 9.1.3, which is for El Capitan, Yosemite and OS X 10.9.5 Mavericks.
Glenn Fleishman explains the three separate zero-day exploits patched in iOS 9.3.5, which are very targeted, but could allow full access to a compromised device. The flaws were reported by Citizen Lab and Lookout Security, and those names pop up again in today’s security updates for the Mac.
The exploits require the user to open a URL from an SMS message, which then executes remote binary files in the OS that dig into the kernel and allow unauthorised software to be installed – in iOS this effectively jailbreaks your device behind your back.
According to Apple’s release notes, the Mac security updates released today will prevent applications from disclosing kernel memory and executing arbitrary code with kernel privileges. Safari’s patch fixes a memory corruption issue that would allow a malicious website to execute arbitrary code in the first place, namely the malware that’s trying to get into your kernel.
In other words, you need these patches. So go get ’em.