Apple releases iOS 12.4, macOS Mojave 10.14.6, and more security updates
Posted on by Jay Vrijenhoek and Joshua Long
Apple released updates today for all of their operating systems and the Safari browser for Mac. Here’s a brief rundown of new features and security related fixes included with each update.
iOS 12.4
Apple says that this update introduces a new “iPhone migration” feature, which gives customers the ability to directly transfer data from an old iPhone to a new iPhone wirelessly during the setup process. It also includes enhancements to Apple News, and adds support for HomePod in Japan and Taiwan.
As usual, this iOS update contains security improvements for all devices that support iOS 12: iPhone 5s and later, iPad Air and later, or iPod touch 6th generation and later. In total, 37 security issues were addressed. A handful of the highlights:
FaceTime
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
Messages
Impact: A remote attacker may cause an unexpected application termination
Description: A denial of service issue was addressed with improved validation.
Siri
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
Telephony
Impact: The initiator of a phone call may be able to cause the recipient to answer a simultaneous Walkie-Talkie connection
Description: A logic issue existed in the answering of phone calls. The issue was addressed with improved state management.
Wallet
Impact: A user may inadvertently complete an in-app purchase while on the lock screen
Description: The issue was addressed with improved UI handling.
Of the 37 fixes, 22 were for WebKit, Apple’s web page rendering engine. All in all, a large amount of CVEs were addressed in this update, so it is recommended to install it sooner rather than later.
The full list of security issues addressed can be found here. iOS 12.4 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes download and install the update for you.
tvOS 12.4
Listed as an update that includes general performance and stability improvements. Available for the Apple TV HD and Apple TV 4K, a total of 32 security issues were addressed, most of which are the same as those addressed in iOS 12.3. Among these fixes, the Kernel, WebKit and Siri all had some work done to make them more secure.
The full list of security issues addressed can be found here. The tvOS update can be downloaded directly to the Apple TV by going to Settings > System > Software Updates > Check for Update.
Apple TV Software 7.3.1
Apple also released a minor update for the Apple TV (3rd generation) containing “general performance and stability improvements.” No new features were listed as part of this update, and Apple’s security updates page indicates there are “no published CVE entries” related to this update.
The update can be downloaded directly to the Apple TV by going to Settings > General > Software Updates > Update Software.
watchOS 5.3
Apple says that watchOS 5.3 “includes new features, improvements and bug fixes and is recommended for all users.” The most prominent fix is Apple’s reenabling of for the Walkie-Talkie feature, which Apple had disabled two weeks earlier due to a security issue (as discussed on episode 92 of the Intego Mac Podcast).
The new watchOS update also adds support for two health features for users in Canada and Singapore: the ECG app on Apple Watch Series 4, and irregular heart rhythm notifications.
A total of 23 security-related issues were fixed, and as you may expect, these are the same as those addressed in iOS and tvOS.
The new watchOS can be installed by connecting the Apple Watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.
Safari 12.1.2
The latest version of Safari for Mac—available for macOS High Sierra and Sierra users, and included with macOS Mojave 10.14.6—brings a few bug fixes and enhancements that improve overall security. A total of 23 security issues were addressed, 22 of which were for WebKit; the remaining issue was in the Safari application itself, and had allowed malicious sites to spoof the address bar.
The full list of security issues addressed can be found here. The new Safari 12.1.2 can be downloaded through the Updates tab of the App Store. For macOS Mojave users it is included in macOS 10.14.6.
macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra
Naturally, macOS received updates as well. Mojave users were treated with both feature and security updates, while High Sierra and Sierra users only received security updates.
Apple says that the macOS Mojave 10.14.6 update improves the stability and reliability of your Mac, and is recommended for all users. Among the improvements are improvements to Apple News+, and fixes related to an issue with Boot Camp on certain Macs with Fusion Drives, an issue that may cause a hang during a restart, a graphics issue that may occur when waking from sleep, an issue that may cause fullscreen video to appear black on Mac mini, and file sharing reliability over SMB.
In total, 44 security related issues were fixed in one or more of the three updates. These include:
Bluetooth
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.FaceTime
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.Graphics Drivers
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.Time Machine
Available for: macOS Mojave 10.14.5
Impact: The encryption status of a Time Machine backup may be incorrect
Description: An inconsistent user interface issue was addressed with improved state management.Siri
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
The full list of security issues addressed can be found here. Users of macOS Mojave, High Sierra, and Sierra can install the updates via Apple menu > System Preferences… > Software Update.
iOS 9.3.6 and iOS 10.3.4
In an unexpected move, Apple also released updates for iOS 9 and iOS 10, apparently just to address GPS and time synchronization issues.
The updates are being made available specifically for GPS-enabled devices that cannot be upgraded to the latest versions of iOS, which includes iPhone 5 and iPad (4th generation) Wi-Fi + Cellular—both of which receive iOS 10.3.4—and iPhone 4s, iPad mini (1st generation) Wi-Fi + Cellular, iPad 2 Wi-Fi + Cellular, and iPad (3rd generation) Wi-Fi + Cellular—all of which receive iOS 9.3.6.
No update is available for iOS 11 because all devices compatible with iOS 11 are also compatible with iOS 12.
According to Apple, the updates contain “no published CVE entries,” meaning that if any security related issues were addressed, there is no public information about them at this time. It is very important to note that using devices with older versions of iOS is becoming increasingly unsafe; many serious security vulnerabilities have been fixed in iOS 12 that will presumably never be fixed in earlier versions of iOS.
Anyone still using an older iOS device should therefore consider upgrading to a model that will support iOS 13 or iPadOS 13, which will be released in the fall. The following devices are supposed to be compatible with iOS 13:
- iPhone SE, iPhone 6s and 6s Plus, iPhone 7 and 7 Plus, iPhone 8 and 8 Plus, iPhone X, iPhone Xʀ, iPhone Xs and Xs Max, and upcoming iPhone models (Apple is expected to release new models this fall around the launch of iOS 13)
- Note that iPhone 5s, and iPhone 6 and 6 Plus, will no longer be supported, and presumably won’t receive any more security updates.
- iPod touch (7th generation)
- Note that iPod touch (6th generation) will no longer be supported, and presumably won’t receive any more security updates.
- Shockingly, this means that if you bought a new iPod touch as recently as May 2019 and just prior to the release of the new 7th-gen model, your device may be as little as 4 months old when Apple will stop releasing security updates for it (as discussed on episode 87 of the Intego Mac Podcast).
- iPad Air 2, iPad Air (3rd generation), iPad mini 4, iPad mini (5th generation), iPad (5th generation), iPad (6th generation), and all models of iPad Pro
- Note that iPad Air, and iPad mini 2 and 3, will no longer be supported, and presumably won’t receive any more security updates.
Back up your Macs and iOS devices before updating
Whether you’re using iOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned. The most thorough way to back up your iOS device is to connect it to your computer and create an encrypted backup via the iTunes app, but you can also back up your device to iCloud as well. For backing up your Mac, see our related article:
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s experts discuss the top security and privacy concerns for users of Apple products—for example, the Walkie-Talkie security issue was discussed in episode 92, and the likely discontinuation of security updates for the 6th-gen iPod touch was discussed in episode 87. Be sure to subscribe to make sure you never miss the latest episode. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.
You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the ? to get notified about new videos).