While Apple fanbois rage at Catalina, iGiant quietly drops iOS and macOS security patches


while-apple-fanbois-rage-at-catalina,-igiant-quietly-drops-ios-and-macos-security-patches

RCEs and all sorts of other vulns plugged, so get installing

Apple has released patches for the hated macOS Catalina – but not to fix the operating system’s UI failures. These are security updates also affecting iOS and Apple Watches, and include one that prevents a remote attacker from executing code on your iThings.

Affecting macOS Catalina 10.15, Mojave 10.14.6 and High Sierra 10.13.6, the most serious of these vulnerabilities could allow an attacker to access protected areas of memory, gain elevated privileges and execute arbitrary code on the system or cause denial-of-service conditions.

The patches come just three weeks after the last run of security fixes for the near universally disliked Catalina version of macOS.

The most alarming of the patch batch for Catalina is a fix for CVE-2019-8716, affecting AppleGraphicsControl, which Cupertino bluntly summarises as: “An application may be able to execute arbitrary code with system privileges.” The fix is given as “improved memory handling”.

Further down the list there’s a fix for a vuln that lets a local attacker “log in to the account of a previously logged in user without valid credentials”, as well as one for High Sierra 10.13.6 and Mojave 10.14.6, in which a crafted audio file can also lead to “arbitrary code execution”. There’s a lot more of the same on Apple’s support page here.

It’s not surprising that famously talkative Apple isn’t particularly forthcoming with details of what it’s plugging, though the CVE numbers have been assigned, and might be populated over the coming months. The Register has asked a few of the named researchers if they feel like talking about their discoveries and will update if we hear more.

As we said about the last run of Apple patches, “the first major public releases of Apple’s OS software tend to be a little bumpy.” It looks like these are the ones intended to smooth out those bumps, at least on the security front.

In other Apple news, Cupertino has reportedly pulled iOS 13.2 after it began bricking Homepod smart speakers after installation. ®

Sponsored:
Serverless Computing London – 6-8 Nov 2019

Previous Europe's digital identity system needs patching after can_we_trust_this function call ignored
Next From Instagram to insta-banned: Facebook wipes NSO Group workers' personal profiles amid WhatsApp hack rap