Apple OS X Yosemite
Apple released the latest version of its Mac OS X called Yosemite on October 17, 2014. Apple has fixed a large number of security vulnerabilities in OS X and iTunes which are detailed below.
While the Yosemite has been received well by the Apple users, but a section of the users including privacy advocates have panned Apple for compromising the users privacy in the latest version of OS X Yosemite.
Spotlight Search Feature
Critics and pro privacy advocates pointed out that Yosemite sends location information to Apple by default via the Spotlight search feature. This feature which runs by default can severely compromise their privacy, they say.
Within hours after its release on Oct, 17, the tech forums, social networks like Facebook and Twitter were filled with complaints about the default Spotlight Search feature. Users began reporting that highly specific location data was being sent from their machines back to Apple which was a strict no no for them.
Spotlight is a powerful search function incorporated in OS X Yosemite that gives high quality search results to the Mac OS X user from Mac, iTunes, the App Store and the Web. The problem is that for this superb feature to work, data needs to be transmitted and collected at Apple servers. So by default, when a user has location services on the Mac enabled, some of the data from searches, including location information, is sent to Apple.
Though this feature is enabled by default, users can disable this function in the Preferences section of OS X.
Apple on its part has put a serious disclaimer for the users of Yosemite, which users should read before panning Apple.
“When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft’s Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services”
Ashkan Soltani, an independent consultant and privacy researcher, said on Twitter that the changes in Yosemite were a serious privacy problem.
Yosemite Spotlight's default sending of precise location and search terms is probably the worst example of 'privacy by design' I've seen yet
— ashkan soltani (@ashk4n) October 20, 2014
Other fixes in OS X Yosemite
Apart from the above fact, Yosemite has managed to remain a trouble free release for Apple. It also includes fixes for dozens of remote code execution vulnerabilities. For the Bash Bug worries, Apple has included a patch for the Bash Shellshock vulnerability as well as fixes for flaws in a number of components, such as the app sandbox, IOKit, the OS X kernel and many others. One of the more serious issues fixed in this release is a problem with the 802.1x implementation that could allow an attacker to get the user’s credentials.
“An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default.”
Apple has also fixed the high risk vulnerability in the way that OS X handled altered apps.
“Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution.”