This week Apple released updates to all of its operating systems and Safari browser. Here’s a brief rundown of new features and security-related fixes included with each update.
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Apple describes these updates’ new features as follows:
iOS 13.6 adds support for digital car keys, introduces audio stories in Apple News+ (US only), and contains a new symptoms category in the Health app. This release also includes bug fixes and improvements.
iPadOS 13.6 introduces local news in your Today feed in Apple News (US only) and includes bug fixes and improvements for your iPad.
Following is sampling of the (non-security) bug fixes and improvements in these updates:
- Adds a new setting to choose if updates automatically download to your device when on Wi-Fi
- Addresses stability issues when accessing Control Center when Assistive Touch was enabled
- [iOS only] Fixes an issues that prevented some iPhone 6S and iPhone SE devices from registering for Wi-Fi Calling
- [iOS only] Fixes an issue that could cause data roaming to appear to be disabled on eSIM even though it remained active
Many security-related issues were addressed as well, 29 of which are specifically mentioned. Here are some of them:
Audio
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
Bluetooth
Impact: A remote attacker may cause an unexpected application termination
Description: A denial of service issue was addressed with improved input validation.
CoreFoundation
Impact: A local user may be able to view sensitive user information
Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation.
GeoServices
Impact: A malicious application may be able to read sensitive location information
Description: An authorization issue was addressed with improved state management.
ImageIO
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
Messages
Impact: A user that is removed from an iMessage group could rejoin the group
Description: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.
Safari Login AutoFill
Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain
Description: A logic issue was addressed with improved restrictions.
Three of the fixes were for bugs in the kernel, the core component of the operating system, addressing serious issues such as the access of restricted memory by applications and arbitrary code execution. There were also several security fixes related to WebKit, a page-rendering framework utilized by Safari and many other parts of the operating system.
The full list of security issues addressed can be found here.
Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation
Apple describes iOS 12.4.8 simply as an update that “provides important security updates and is recommended for all users.” No specific security-related release notes were available at the time of writing. Apple’s website simply states, “This update has no published CVE entries.” This statement sometimes means that security issues were addressed that can not yet be published, as those same issues exist in other operating systems that have not been fixed yet.
Regardless of whether your device is compatible with iOS 13 or iPadOS 13, or if it is limited to iOS 12, you can obtain the updates over the air (without tethering to a computer) by going to Settings > General > Software Update. You can also connect your device to your Mac (or your Windows PC with iTunes) to install the update.
Apple simply states that tvOS 13.4.8 “includes general performance and stability improvements.” Available for the Apple TV 4K and Apple TV HD, and a total of 20 security issues were specifically mentioned, most of which are the same as those addressed in iOS and iPadOS 13.4.8. Among other parts of the operating system, the kernel, WebKit, and GeoServices all had some work done to make them more secure.
The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Available for: Apple Watch Series 1 and later
Apple says that watchOS 6.2.8 includes the following “new features and improvements”:
- Adds support for digital car keys for Apple Watch Series 5
- ECG app on Apple Watch Series 4 or later now available in Bahrain, Brazil, and South Africa
- Irregular heart rhythm notifications now available in Bahrain, Brazil, and South Africa
A total of 19 security related issues were specifically mentioned as having been fixed. As one might expect, these issues overlap with those addressed in iOS, iPadOS, and tvOS.
The full list of security issues addressed can be found here.
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed
Similar to the iOS 12.4.8 update, Apple simply states that watchOS 5.3.8 “provides important security updates and is recommended for all users.” No security-related release notes were available at the time of writing. Apple’s website simply states “This update has no published CVE entries.” Again, like the iOS 12.4.8 update, this could potentially mean that security issues were addressed that can not yet be published, as those same issues may exist in other operating systems that have not been fixed yet.
watchOS can be updated by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.
The latest version of Safari, included in macOS Catalina and also available for macOS Mojave and macOS High Sierra, contains improvement to tabs, performance, and security. Eleven security issues were specifically mentioned, and two of the most notable are as follows:
Safari Downloads
Impact: A malicious attacker may be able to change the origin of a frame for a download in Safari Reader mode
Description: A logic issue was addressed with improved restrictions.Safari Downloads
Safari Login AutoFill
Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain
Description: A logic issue was addressed with improved restrictions.
Out of the eleven fixes, eight of which address the aforementioned WebKit vulnerabilities.
The full list of security issues addressed can be found here. Safari 13.1.2 can be downloaded through the Updates tab of the App Store for High Sierra and through System Preferences > Software Update for Mojave. For macOS Catalina, it is included in macOS 10.15.6.
Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:
macOS Catalina 10.15.6 introduces local news in your Today feed in Apple News and improves the security and reliability of your Mac. A few highlights:
- Adds a new option to optimize video streaming on HDR-compatible Mac notebooks for improved battery life
- Fixes an issue where the computer name may change after installing a software update
- Resolves an issue where certain USB mouse and trackpads may lose connection
- (Enterprise) Major new releases of macOS can be hidden when using the
softwareupdate(8)command with the--ignoreflag, if the Mac is enrolled in Apple School Manager, Apple Business Manager, or a user-approved MDM.
Of course there are security fixes included as well, of which 19 are specifically named. Of these, 17 are exclusively available for macOS Catalina and are not addressed for previous macOS versions. As is typical, Apple did not clarify in its security release notes whether the issues only addressed for Catalina are non-issues in Mojave and High Sierra, or whether Apple decided to only address the issues for Catalina even though older macOS versions may be affected.
Some of the highlights include:
CoreFoundation
Available for: macOS Catalina 10.15.5
Impact: A local user may be able to view sensitive user information
Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation.Safari Downloads
Available for: macOS Catalina 10.15.5
Impact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service
Description: An input validation issue was addressed.Safari Downloads
Messages
Available for: macOS Catalina 10.15.5
Impact: A user that is removed from an iMessage group could rejoin the group
Description: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.Safari Downloads
Vim (a command-line text editor included with UNIX and macOS)
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: A remote attacker may be able to cause arbitrary code execution
Description: This issue was addressed with improved checks.Safari Downloads
CoreAudio
Available for: macOS High Sierra 10.13.6
Impact: A buffer overflow may result in arbitrary code execution
Description: A buffer overflow was addressed with improved bounds checking.
The full list of security issues addressed can be found here. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update) instead. Standalone updates can also be downloaded from the following links:
Whether you’re using iOS, iPadOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.
See also our related article on checking your macOS backups:
Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.
And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 
