Last week Apple released a new version of its operating system to consumers.
The existence of the latter was publicly revealed only a day before Yosemite’s release, but was known to Apple before that. Nevertheless, it’s great to see that the problem has been fixed in the newest OS.
This particular hole has been plugged by disabling CBC cipher suites when TLS connection attempts fail.
The Shellshock bag has also been timely addressed by the company earlier, when it released a security update for OS X Mavericks, Mountain Lion, and Lion in late September.
Yosemite comes with many other important fixes for remote code execution, DoS, and information disclosure bugs, as well as an update to the certificate trust policy.
But users who won’t be upgrading their OS are also safe from POODLE attacks, as the company has simultaneously released Security Update 2014-005, which addresses the flaw in OS X Mavericks and Mountain Lion, but not Lion.
This update also includes the security content of the aforementioned OS X bash update pushed out in September, likely because that update had to be downloaded and implemented manually, which certainly resulted in a lesser number of users applying it.