Apple has fixed a huge number of security vulnerabilities in OS X and iTunes and, at the same time, is being hit with criticisms about privacy issues in the new version of OS X.
The latest version of the operating system, known as Yosemite, sends location information to Apple by default via the Spotlight search feature, something that has angered users and privacy advocates. Yosemite was released to users on Oct. 17 and within hours users began reporting that highly specific location data was being sent from their machines back to Apple. The feature that enables this data collection and transmission is Spotlight, a powerful search function in OS X that in Yosemite now has the ability to return search results not just from the user’s Mac, but also from iTunes, the App Store and the Web.
When a user has location services on her Mac enabled, some of the data from searches, including location information, is sent to Apple.
“When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft’s Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services,” the disclaimer in Yosemite says.
Users can disable this function in the Preferences section of OS X, but it is enabled by default. Ashkan Soltani, an independent consultant and privacy researcher, said on Twitter that the changes in Yosemite were a serious privacy problem.
“Yosemite Spotlight’s default sending of precise location and search terms is probably the worst example of ‘privacy by design’ I’ve seen yet,” Soltani said.
On the security side of things, Yosemite includes fixes for dozens of vulnerabilities, several of which can result in remote code execution. Yosemite includes a patch for the Bash Shellshock vulnerability as well as fixes for flaws in a number of components, such as the app sandbox, IOKit, the OS X kernel and many others. One of the more serious issues fixed in this release is a problem with the 802.1x implementation that could allow an attacker to get the user’s credentials.
“An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default,” Apple said in its advisory.
There’s also a fix for a vulnerability in the way that OS X handled altered apps.
“Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution,” the advisory says.
In the new version of iTunes, Apple has fixed a bug that could allow an attacker with man-in-the-middle position to crash iTunes or execute arbitrary code. The release of iTunes 12.01 also includes patches for dozens of memory corruption vulnerabilities in WebKit.