Apple has fixed a huge number of security vulnerabilities in OS X and iTunes and, at the same time, is being hit with criticisms about privacy issues in the new version of OS X.
The latest version of the operating system, known as Yosemite, sends location information to Apple by default via the Spotlight search feature, something that has angered users and privacy advocates. Yosemite was released to users on Oct. 17 and within hours users began reporting that highly specific location data was being sent from their machines back to Apple. The feature that enables this data collection and transmission is Spotlight, a powerful search function in OS X that in Yosemite now has the ability to return search results not just from the user’s Mac, but also from iTunes, the App Store and the Web.
APPLE COLLECTS USERS’ DATA AND FORWARDS IT TO MICROSOFT AS WELL
On one hand, where Apple decided to enable hard drive encryption by default, despite the FBI requests not to do so. But on the other, the company is itself putting its users’ privacy on risk. The same data Apple collects from the users’ searched term on Spotlight will also be forwarded to Microsoft’s Bing search engine as Apple freely admits in its terms of service.
When a user has location services on her Mac enabled, some of the data from searches, including location information, is sent to Apple.
“When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft’s Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services,” the disclaimer in Yosemite says.
HOW TO PROTECT YOURSELF
Users can turn off Spotlight Suggestions and Bing Web searches in System Preferences which are enabled by default, noted the company.
A developer has created a Python script which you can Download The Script from our site to prevent Apple from collecting data, so you can switch off the Spotlight search by going through step-by-step instructions for doing it.
Disable “Spotlight Suggestions” and “Bing Web Searches” in System Preferences > Spotlight > Search Results.
Safari also has a “Spotlight Suggestions” setting that is separate from Spotlight’s “Spotlight Suggestions.” This uses the same mechanism as Spotlight, and if left enabled, Safari will send a copy of all search queries to Apple.
You’d be forgiven for thinking that you’d already disabled “Spotlight Suggestions,” but you’ll also need to uncheck “Include Spotlight Suggestions” in Safari > Preferences > Search.
“Yosemite Spotlight’s default sending of precise location and search terms is probably the worst example of ‘privacy by design’ I’ve seen yet.
On the security side of things, Yosemite includes fixes for dozens of vulnerabilities, several of which can result in remote code execution. Yosemite includes a patch for the Bash Shellshock vulnerability as well as fixes for flaws in a number of components, such as the app sandbox, IOKit, the OS X kernel and many others. One of the more serious issues fixed in this release is a problem with the 802.1x implementation that could allow an attacker to get the user’s credentials.
“An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default,” Apple said in its advisory.
There’s also a fix for a vulnerability in the way that OS X handled altered apps.
“Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution,” the advisory says.
In the new version of iTunes, Apple has fixed a bug that could allow an attacker with man-in-the-middle position to crash iTunes or execute arbitrary code. The release of iTunes 12.01 also includes patches for dozens of memory corruption vulnerabilities in WebKit.
Please Visit our Computer News Website and Blog
for latest computer repair and online news.
Local and Online Virus removal and computer repairs anytime, anywhere
Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida