UPDATE: On Friday, September 27, Apple released two more updates—iOS 13.1.1 and iPadOS 13.1.1—to address the following issue:
Sandbox
Impact: Third party app extensions may not receive the correct sandbox restrictions
Description: A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct restrictions.
On Thursday, September 26, Apple released security updates for iOS, watchOS, and three macOS versions, and over the past week Apple also fixed security flaws in iPadOS, Safari for Mac, Xcode, and tvOS. Apple finally provided security notes today for all of these updates. Here’s a brief rundown of new features and security related fixes included with each update.
The focus of today’s updates was a single security related issue:
Foundation
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
This issue was serious enough for Apple to push out an update that’s even available for those running older iOS and watchOS versions:
It would be nice if Apple supported the two previous iOS versions with security updates just like it does with macOS, but I expect this to be a one-off event due to the apparent threat level of the addressed issue.
Perhaps this surprise iOS 12 security update could also have something to do with the recency of iOS 13’s release; some users may not have figured out that their iPhone 6, for example, is ineligible for iOS 13, and haven’t yet purchased a newer phone.
On the other hand, perhaps this could be a sign that Apple might continue to release security updates for the previous major iOS version, but only time will tell.
Meanwhile, it makes sense for Apple to have updated watchOS 5 even though watchOS has 6 is out, specifically because Apple has delayed the release of watchOS 6 for the Apple Watch Series 1 and 2 until “later this year.”
Over the last week, of course, we have seen the release of major updates for every Apple operating system except for macOS (Catalina is delayed until sometime in October), as well as Xcode and Safari for macOS, but Apple completely held back the security details until today.
When this happens, we can assume this is because the issues have not yet been addressed on some of Apple’s platforms (or in rarer cases, like with Meltdown and Spectre last year, multiple companies may be planning a coordinated disclosure). Once Apple releases all the patches (or at the appointed time of a coordinated disclosure), security notes follow.
The notes for today’s updates as well as the earlier updates were all published simultaneously today, so now we can give you the skinny on all of them.
iOS 13 saw at least nine security related issues addressed, followed by another in iOS 13.1, and today one of the bugs that had been fixed in iOS 13 (the Foundation issue described above) was also fixed in iOS 12.4.2.
A few interesting fixes in iOS 13 (in addition to the Keyboards issue described in the tvOS section below) included:
Face ID
Available for: iPhone X and later
Impact: A 3D model constructed to look like the enrolled user may authenticate via Face ID
Description: This issue was addressed by improving Face ID machine learning models.Messages
Available for: iPhone 6s and later
Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen
Description: The issue was addressed by restricting options offered on a locked device.Safari
Available for: iPhone 6s and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A logic issue was addressed with improved state management.
iOS 13.1 and iPadOS 13.1 only include one documented security fix (for another “lock screen bypass” bug similar to the Messages one above):
VoiceOver
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen
Description: The issue was addressed by restricting options offered on a locked device.
iOS 13.1 and iPadOS 13.1 can be downloaded over the air (i.e. directly onto a device) by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and use the iTunes app to check for, download, and install the iOS update.
Strangely, Apple still hasn’t fixed a flaw in the iOS version of Safari that allows anyone to send fake news headlines from popular news sites—a bug discovered more than seven months ago.
Safari 13, at the time of its release on September 19, only saw one issue addressed:
WebKit Page Loading
Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved state management.
Safari 13.0.1, released on September 24, added two more fixes:
Safari
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: Visiting a malicious website may lead to user interface spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
Service Workers
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: Service workers may leak private browsing history
Description: The issue was addressed with improved handling of service worker lifetime.
Users of macOS Mojave and High Sierra can install the latest version of Safari via Apple menu > System Preferences… > Software Update.
Although watchOS 6 was released on September 19 (for Apple Watch Series 3, 4, and 5), we finally learned today that the only security issue addressed was the one for Foundation, described above. Meanwhile, watchOS 5.3.2 (for Apple Watch Series 1 and 2) was released today and addressed the same security issue.
The new watchOS update can be installed by connecting your Apple Watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.
We learned today that tvOS 13, released on September 24, included one newly documented security fix (which was also fixed in iOS 13 for iPhone 6s and later):
Keyboards
Available for: Apple TV 4K and Apple TV HD
Impact: A local user may be able to leak sensitive user information
Description: An authentication issue was addressed with improved state management.
The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Xcode, Apple’s software development suite, received a major update to version 11.0 on September 20, and it included fixes for seven security issues. Registered developers can download Xcode via Apple’s developer downloads page.
Apple’s update release schedule has been a bit messy lately, and this in turn has led to the security notes being unavailable or incomplete for more than a week in some cases.
There is always the possibility of additional entries being added at a later date, particularly if a future Apple update addresses another bug that was silently addressed in past updates, or if there are coordinated vulnerability disclosures as mentioned above.
Whether you’re using iOS, iPadOS, or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned. The most thorough way to back up your iOS or iPadOS device is to connect it to your computer and create an encrypted backup via the iTunes app, but you can also back up your device to iCloud as well. For backing up your Mac, see our related article:
You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.
You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the ? to get notified about new videos).