OS X may be considered Apple's desktop OS magnum opus, but it certainly hasn't been without its share of vulnerabilities (1,250 to date per the CVE database). The following are the top 11 OS X vulnerabilities and exploitation prevention tips.
The Dock in Apple OS X versions before 10.10 improperly manages the screen-lock state. This could allow attackers in physical proximity to access an unattended workstation. Newer versions of OS X do not have this flaw, so upgrading to a newer version effectively remediates the vulnerability.
Versions of Mail before 10.10 do not properly recognize the removal of a recipient address from a message. This could allow remote attackers to obtain sensitive information by reading a message intended exclusively for other recipients.
The Security-Keychain component in versions of OS X before 10.9.4 does not properly implement keystroke observers. This could allow physically proximate attackers to bypass the screen-lock protection mechanism and enter characters into an arbitrary window under the lock window via keyboard input. Updating to version 10.11 or higher effectively remediates this vulnerability.
The App Store process in CommerceKit Framework in OS X before 10.10.2 places Apple ID credentials in App Store logs, which could allow local users to obtain sensitive information by simply reading the logfiles.
The User Documentation component in OS X through 10.6.8 uses HTTP sessions for updates to App Store help information. This could allow a man-in-the-middle attacker to execute arbitrary code by spoofing the HTTP server.
Mail in OS X before 10.9 (with Kerberos authentication enabled and TLS disabled) sends invalid cleartext data, which could allow remote attackers to obtain sensitive information by simply sniffing network traffic.
New error logging features in OS X 10.10 that include unsafe additions to the dynamic linker could allow local attackers to gain unfettered root privileges.
Upgrading your OS X-based nodes to the latest version can effectively remediate these vulnerabilities. However, in some cases it may not be possible (or feasible) to perform such updates en masse—these scenarios may require patches to be downloaded and applied in a specific manner. Regardless of how you plan on applying these critical OS X updates, UpGuard's OVAL-backed vulnerability scanner can automatically identify which nodes are at-risk on an ongoing basis.