Software & Apps

Over the last two weeks, Apple released updates to all of its operating systems and Safari browser. Here’s a brief rundown of new features and security related fixes included with each update.

Note that Apple withheld security notes for the May 18th and May 20th updates until macOS update notes were released on May 26th. Below we’ve included selections from all of these updates, including newly released details.

iOS 13.5 and iPadOS 13.5

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Apple describes these updates’ new features as follows:

iOS 13.5 speeds up access to the passcode field on devices with Face ID when you are wearing a face mask and introduces the Exposure Notification API to support COVID-19 contact tracing apps from public health authorities. This update also introduces an option to control automatic prominence of video tiles on Group FaceTime calls and includes bug fixes and other improvements. A few highlights:

• Simplified unlock process for devices with Face ID when you are wearing a face mask
• Exposure Notification API to support COVID-19 contact tracing apps from public health authorities
• Option to automatically share health and other essential information from your Medical ID with emergency services when you place an emergency call (US only)
• Fixes an issue where users may see a black screen when trying to play streaming video from some websites

Some security-related issues were addressed as well, 45 of which were specifically named—which makes this quite a big update. Here’s a sampling of some of the noteworthy vulnerabilities that were addressed:

Accounts
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved input validation.

AirDrop
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved input validation.

AppleMobileFileIntegrity
Impact: A malicious application could interact with system processes to access private information and perform privileged actions
Description: An entitlement parsing issue was addressed with improved parsing.

Bluetooth
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.

FaceTime
Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing
Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.

Messages
Impact: Users removed from an iMessage conversation may still be able to alter state
Description: This issue was addressed with improved checks.

The kernel, the core component of the operating system, received ten named fixes that addressed serious issues such as the access of restricted memory by applications and arbitrary code execution. There were also nine named security fixes related to WebKit, a page-rendering framework utilized by Safari and many other parts of the operating system.

The full list of security issues addressed can be found here. It’s a long list, and some pretty significant security issues have been resolved, making this update worth prioritizing.

iOS 12.4.7

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation

Apple describes iOS 12.4.7 simply as an update that “provides important security updates and is recommended for all users.” Apple names three specific security related issues: two for Mail, and one for Wi-Fi.

Regardless of whether your device is compatible with iOS 13 or iPadOS 13, or if it is limited to iOS 12, you can obtain the updates over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 13.4.5

Apple simply states that tvOS 13.4.5 “includes general performance and stability improvements.” Available for the Apple TV HD and Apple TV 4K’s, 31 security issues were specifically mentioned as having been addressed. Most of them the same as those addressed in iOS and iPadOS 13.5. Among other parts of the operating system, the kernel, WebKit, and AppleMobileFileIntegrity all had some work done to make them more secure.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 6.2.5

Available for: Apple Watch Series 1 and later

Apple says that watchOS 6.2.5 includes “new features, improvements, and bug fixes.”

A total of 32 security-related issues were named as having been fixed. As one might expect, these issues overlap with those addressed in the latest iOS, iPadOS, and tvOS updates.

The full list of security issues addressed can be found here.

watchOS 5.3.7

Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed

Similar to the iOS 12.4.7 update, Apple simply states that watchOS 5.3.7 “provides important security updates and is recommended for all users.” Apple has addressed two security related issues: one for Mail, and one for Wi-Fi.

watchOS can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 13.1.1

The latest version of Safari, included in macOS Catalina and also available for macOS Mojave and macOS High Sierra, contains improvement to tabs, performance and security. Ten security issues were specifically mentioned as having been addressed, including the following:

Safari
Impact: A malicious process may cause Safari to launch an application
Description: A logic issue was addressed with improved restrictions.

WebKit
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved restrictions.

Out of the ten fixes, nine were for WebKit.

The full list of security issues addressed can be found here. Safari 13.1.1 can be downloaded through the Updates tab of the App Store for High Sierra and through System Preferences > Software Update for Mojave. For macOS Catalina, it is included in macOS 10.15.5.

macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:

macOS Catalina 10.15.5 introduces battery health management in the Energy Saver settings for notebooks, a new option to disable automatic prominence in Group FaceTime calls, and controls to fine-tune the built-in calibration of your Pro Display XDR. The update also improves the stability, reliability, and security of your Mac.

• Battery health management to help maximize battery lifespan for Mac notebooks (and an option to disable this feature)
• New option to control automatic prominence on Group FaceTime calls, so video tiles do not change size when a participant speaks
• Controls to fine-tune the built-in calibration of your Pro Display XDR by adjusting the white point and luminance for a precise match to
  your own display-calibration target
• Fixes an issue where System Preferences would continue to show a notification badge even after installing an update
• Resolves a stability issue when transferring large amounts of data to RAID volumes

Of course, there are security-related fixes included as well, 48 of which Apple specifically names. Of these, 18 are exclusively available for macOS Catalina, and the rest are available for all of the currently supported macOS versions. Some of the highlights:

Accounts
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: A logic issue was addressed with improved restrictions.

AppleUSBNetworking
Available for: macOS Catalina 10.15.4
Impact: Inserting a USB device that sends invalid messages may cause a kernel panic
Description: A logic issue was addressed with improved restrictions.

Calendar
Available for: macOS Catalina 10.15.4
Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information
Description: This issue was addressed with improved checks.

FontParser
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.

SIP (System Integrity Protection)
Available for: macOS Catalina 10.15.4
Impact: A non-privileged user may be able to modify restricted network settings
Description: A logic issue was addressed with improved restrictions.

The Kernel received 10 named fixes. This alone makes these updates worth installing sooner rather than later.
The full list of security issues addressed can be found here. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update) instead. Standalone updates can also be downloaded from the following links:

• macOS Catalina 10.15.5 Update (for 10.15.4)
• macOS Catalina 10.15.5 Combo Update (for 10.15 through 10.15.3)
• Security Update 2020-003 (Mojave)
• Security Update 2020-003 (High Sierra)

Whether you’re using iOS, iPadOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on on the Intego Mac Podcast, Intego’s experts discuss security, privacy, and Apple-related topics. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Jay Vrijenhoek