Listed as an update that provides support for Apple News+, adds the ability for Siri to play videos from your iOS device to Apple TV, and includes four new Animoji. The update also includes bug fixes and improvements.
But this update does not just contain new features and enhancements; it also contains a whopping 51 security fixes. A few of the highlights:
FaceTime
Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing
Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.
file
Impact: Processing a maliciously crafted file might disclose user information
Description: An out-of-bounds read was addressed with improved bounds checking.
GeoServices
Impact: Clicking a malicious SMS link may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
Impact: Processing a maliciously crafted mail message may lead to S/MIME signature spoofing
Description: This issue was addressed with improved checks.
Privacy
Impact: A malicious app may be able to track users between installs
Description: A privacy issue existed in motion sensor calibration. This issue was addressed with improved motion sensor processing.
Several serious kernel, WebKit, and other vulnerabilities were fixed. All in all, a huge number of security bugs were addressed in this update, so it is strongly recommended to install it sooner rather than later.
The full list of security issues addressed can be found here. iOS 12.2 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac (or Windows PC) and install the update via the iTunes app.
Notably, Apple still has not addressed the iOS Safari issue that allows anyone to send fake news headlines to other iMessage users.
Available for the Apple TV HD—formerly known as the Apple TV (4th generation)—and Apple TV 4K, 36 security issues were addressed. Most of them the same as those addressed in iOS 12.2; the kernel, WebKit, and Siri all had some work done to make them more secure. Feature wise, the Apple TV only gains the ability to play videos that you ask Siri to play on your iOS device.
The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
The latest version of Safari for Mac—available for macOS Mojave, High Sierra, and Sierra users—brings a few enhancements that improve overall security.
Safari will now let you know when a website is loaded without encryption, this warning is displayed in the address bar. Support for the Do Not Track standard (which had good intentions, but never gained widespread advertisers) has been removed as well. Adoption of this standard was low and having it enabled actually made the browser more identifiable online as the setting becomes part of your browser fingerprint. 20 security related issues were addressed of which 18 are for WebKit and 2 are for Safari Reader.
The full list of security issues addressed can be found here. The new Safari 12.1 can be downloaded through the Updates tab of the App Store. For macOS Mojave users it is included in macOS 10.14.4
Last but not least, macOS got some update love. Security Updates for Sierra and High Sierra users and a security + feature update for Mojave users. Mojave now supports Apple News+, Safari adds Dark Mode support for websites with custom color schemes and iTunes enhanced the editorial highlights in the Browse tab. Also added was support for the 2nd generation AirPods. Further enhancements and fixes to the OS include:
Of course there are more security related fixes included as well, 38 to be exact. These include:
Bom
Available for: macOS Mojave 10.14.3
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved handling of file metadata.DiskArbitration
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password
Description: A logic issue was addressed with improved state management.Graphics Drivers
Available for: macOS Mojave 10.14.3
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.Time Machine
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: A local user may be able to execute arbitrary shell commands
Description: This issue was addressed with improved checks.
There is some overlap with the security fixes in iOS and tvOS due to shared code among OS versions. The earlier mentioned FaceTime pause bug is one of them.
The full list of security issues addressed can be found here. macOS Sierra and High Sierra users can find the security update in the App Store app under the Updates tab. Mojave users should visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update) instead; on Mojave the App Store app will no longer list operating system updates. At the time of writing a Combo Update was not yet available for download.
Although the other updates listed above were released on Monday, Apple waited until Wednesday to release the watchOS update; it’s unclear why there was a delay.
Since watchOS shares much of its code with iOS and tvOS, many the same vulnerabilities were fixed (29 in all; see the full list here).
Aside from security updates, watchOS 5.2 expands support for the ECG app and irregular heart rhythm notifications to Hong Kong and some regions of Europe (listed here), and supports AirPods (2nd generation).
To update to watchOS 5.2, you must first update your iPhone to iOS 12.2, then connect the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update and tap Download and Install.
Apple’s software development app, Xcode, also received an update that fixed one security vulnerability (listed here). Oddly, the security bug addressed by this update seems to have been patched in all of Apple’s operating systems in early December 2018.
Apple also released updates for the Windows versions of its software, namely iTunes 12.9.4 for Windows (19 vulnerabilities, detailed here) and iCloud for Windows 7.11 (20 vulnerabilities, detailed here).
Most of the security issues fixed were the same WebKit vulnerabilities addressed in the software listed above.
Whether you’re using iOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.
See also our related article on checking your macOS backups:
Be sure to check out these other articles related to the March 25 Apple Event:
At your service: The full lowdown on Apple TV+, Apple News+, Apple Card, and Apple Arcade
You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the ? to get notified about new videos).
