- Apple Product Security
- Problems With Apple's Latest Update
- How To Get All The Latest May 2020 Security Updates From Apple
- Ios Security Updates
Newsletter
Subscribe to our Threatpost Today newsletter
Apple Maps editors have worked with trusted brands and partners to offer Guides for great places around the world to eat, shop, and explore. 3 You can save Guides, and they automatically update when new places are added, so you always have the latest recommendations. Apple Security Update 2020-003 - For macOS High Sierra. Download the latest versions of the best Mac apps at safe and trusted MacUpdate. The latest update for your iPhone and iPad will make them safer than ever. And as is typical for Apple and a new iOS release, security and privacy enhancements are front and center. Sep 19, 2020 Apple's iOS 14 includes a bunch of cool new iPhone features, but the major operating system update also addresses a list of 11 security vulnerabilities. Sep 19, 2019 After the release of iOS 13, there have been not only one but two security updates released for iOS 12. The latest one, iOS 12.4.3, being released over a month after iOS 13 had come out. This is without precedent (there of course have been 'legacy' updates for older iOS versions before, but only to prevent functionality from breaking, those.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Infosec Insider Post
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Apple signature release. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content
Apple screen capture. Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
When it comes to updates, Apple doesn't do 'predictable'.
Other organisations such as Microsoft, Mozilla and Adobe are well-known for publishing updates not only frequently but also regularly.
Indeed, with those companies, you don't just get updates at least once a month (or once every four weeks for Mozilla), but the pre-announced ones are always scheduled to arrive on Tuesdays.
Never Mondays, because some big organisations have IT rules that set Mondays aside for clearing up any crises that might have happened over the immediately preceding weekend.
Never Fridays, in case of any crises that might arise in the immediately following weekend as a result.
And never Wednesdays or Thursdays, because Tuesday gives you the longest clear run of spare weekdays before Friday arrives and shuts down the so-called 'change window' once again.
Apple, on the other hand, follows a more reclusive approach, so that macOS and iOS updates – with very occasional exceptions – show up unexpectedly, with no pre-announcement of the nature, scale or importance of what's getting fixed:
For the protection of our customers, Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.
The idea seems to be to give cybercriminals the fewest hints about where the latest bugs might be, and the least amount of advance warning about where to start looking.
In other words, the crooks have very little to go on except what they can glean from reverse engineering the patches and comparing the new code to the old, and they only find out for sure what the patches look like at the same time that the rest of us can download and deploy them.
On the other hand, Apple's cone of silence can sometimes be annoying and hard to understand, because it means that concerned users can never be quite sure when already-known bugs in open source components that ship with Apple's products are going to be fixed.
For example, the latest update includes a patch on older macOS versions for CVE-2019-20807, a remote code execution bug in Vim, an open source text editor that ships as part of the macOS distribution and is extremely popular and widely used in the technical community:
That bug has been well-documented since early 2020, and clearly dates back to 2019, so Apple's policy of not saying whether it's looking into already-known vulnerabilities or not, but of keeping quiet unless and until an update turns up, leaves users uncertain as to whether:
- Apple's implementation of the vulnerable product is built in such as way as to be immune.
- Apple is aware of the flaw but has decided it's unimportant and doesn't plan on fixing it.
- Apple is aware of the flaw and has already patched it but just not shipped the fix yet.
- Apple hasn't realised that the vulnerability even exists and won't be fixing it on that account.
Of course, we know now that Apple did know about the Vim issue mentioned above, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns…
Apple Product Security
https://ameblo.jp/tricinirni6v/entry-12649626134.html. …but keeping silent even about bugs that are already well-known – as well as documented and fixed by other vendors – seems a strange choice.
What's fixed?
A few of the macOS fixes caught our eye:
- Several file handling bugs could lead to remote code execution. Bugs that could be abused to implant malware simply by opening up a booby-trapped multimedia file were patched in several parts of the system. The CoreAudio, ImageIO, and Model I/O system libraries are all listed as having file processing bugs, but Apple hasn't given an exhaustive list of which file formats are the risky ones. (See CVE-2020-9884, CVE-2020-9889, CVE-2020-9888, CVE-2020-9890, CVE-2020-9891, CVE-2020-9866, CVE-2020-9936, CVE-2020-9878.)
Note that even if a bug exists in a file type that you never use, such as an arcane image or video format, you are still at risk from booby-trapped web downloads or email attachments.
After all, the operating system knows what file types it can handle and will typically choose which file processing code to use automatically, so the crooks don't have to rely on you jumping through hoops to figure out how to infect yourself by mistake when they send you files with extensions you've never heard of.
- A bug in the macOS Crash Reporter could allow a sandbox escape. The sandbox is used to prevent software from using parts of the system that it will never need, thus minimising the damage it can do, even by accident. So there's a wry irony that the very tool that's supposed to help you submit security reports to Apple could be abused by a malicious app to let it wriggle out of those sandox safety constraints. (See CVE-2020-9865.)
- Several kernel-level bugs that could lead to remote code execution at the highest privilege. Implanting malware via a kernel exploit gives an attacker much more control than just taking over a regular user account, and more even than getting an administrator-level (root) login. (See: CVE-2020-9799, CVE-2019-14899, CVE-2020-9864.)
- A VPN hole that could let someone mess with encrypted network traffic. In Apple's words, 'an attacker in a privileged network position may be able to inject into active connections within a VPN tunnel.' (CVE-2019-14899.)
Problems With Apple's Latest Update
There are also a bunch of fixes in Safari, including patches for remote code execution vulnerabilities, that you need to download separately if you are still using macOS Mojave or High Sierra. (On the latest version, macOS Catalina, the Safari update arrives along with the main macOS patches.)
Users of iOS 13 on iPhones and iPads get an update to 13.6 covering many of the bugs listed above, given that macOS and iOS share a huge amount of code.
The iOS 12.4.8 update, however which is the only pre-13 iOS version still supported, 'has no published CVE entries', according to Apple, which implies that it received little more than a touch of spit-and-polish.
What to do?
Get the updates while they're hot!
There's nothing here that sounds anywhere near as dramatic as Microsoft's just-patched 'SIGRed' bug in its DNS server, but that bug admittedly attracted special attention as much because of its funky name (dramatically channelling the 'Code Red' worm of 2001) as because of its current danger.
Kernel-level remote code execution risks like the ones listed above are always worth patching as quickly as you can, because they can be considered trophy bugs for any cybercriminal.
A crook who figured out a working exploit for any of the kernel holes mentioned would almost certainly (and immediately) find any number of willing buyers on the dark web.
How To Get All The Latest May 2020 Security Updates From Apple
On a Mac, go to Apple menu > System Preferences > Software Update.
On iPhones and iPads, it's Settings > General > Software Update.
Ios Security Updates
After the update, depending how many Apple devices you have, you should be on some, many or all of: iOS 12.4.8, iOS 13.6, macOS 10.15.6 (if you are on Catalina), macOS 10.13.6 with Security Update 2020-004 (High Sierra), macOS 10.14.6 with Security Update 2020-004 (Mojave), and Safari 13.1.2.