Latest Apple Security Update

When it comes to updates, Apple doesn't do 'predictable'.

1. IOS 14: Apple Just Gave IPhone Users 11 Security Reasons To ..
2. About IOS 13 Updates - Apple Support
3. See All Results For This Question

Other organisations such as Microsoft, Mozilla and Adobe are well-known for publishing updates not only frequently but also regularly.

Indeed, with those companies, you don't just get updates at least once a month (or once every four weeks for Mozilla), but the pre-announced ones are always scheduled to arrive on Tuesdays.

Never Mondays, because some big organisations have IT rules that set Mondays aside for clearing up any crises that might have happened over the immediately preceding weekend.

Never Fridays, in case of any crises that might arise in the immediately following weekend as a result.

And never Wednesdays or Thursdays, because Tuesday gives you the longest clear run of spare weekdays before Friday arrives and shuts down the so-called 'change window' once again.

Apple, on the other hand, follows a more reclusive approach, so that macOS and iOS updates – with very occasional exceptions – show up unexpectedly, with no pre-announcement of the nature, scale or importance of what's getting fixed:

For the protection of our customers, Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.

Apple released Security Update 2020-002 for High Sierra and Mojave on March 24. Apple also released Catalina 10.5.4 which includes the same security fixes. In High Sierra, macOS 10.13 the update. The latest update for your iPhone and iPad will make them safer than ever. And as is typical for Apple and a new iOS release, security and privacy enhancements are front and center. 'Together with iPhone, iOS is central to how we navigate our lives and stay connected, and we are making it even more powerful and easier to use in iOS 14, with the biggest update ever to the Home Screen,' said Craig Federighi, Apple's senior vice president of Software Engineering. Security Updates 2020-005 for macOS Mojave 10.14 (18G6032) & High Sierra Security Updates 2020-005 for macOS Mojave 10.14 (18G6032) & High Sierra 10.13 (17G14033) are now Available. UPDATE 10/02/20 – Apple has just released a new Mojave Supplemental Update to fix all the problems of the previous Safari 14.0 Update.

IOS 14: Apple Just Gave IPhone Users 11 Security Reasons To ..

The idea seems to be to give cybercriminals the fewest hints about where the latest bugs might be, and the least amount of advance warning about where to start looking.

In other words, the crooks have very little to go on except what they can glean from reverse engineering the patches and comparing the new code to the old, and they only find out for sure what the patches look like at the same time that the rest of us can download and deploy them.

On the other hand, Apple's cone of silence can sometimes be annoying and hard to understand, because it means that concerned users can never be quite sure when already-known bugs in open source components that ship with Apple's products are going to be fixed.

For example, the latest update includes a patch on older macOS versions for CVE-2019-20807, a remote code execution bug in Vim, an open source text editor that ships as part of the macOS distribution and is extremely popular and widely used in the technical community:

That bug has been well-documented since early 2020, and clearly dates back to 2019, so Apple's policy of not saying whether it's looking into already-known vulnerabilities or not, but of keeping quiet unless and until an update turns up, leaves users uncertain as to whether:

• Apple's implementation of the vulnerable product is built in such as way as to be immune.
• Apple is aware of the flaw but has decided it's unimportant and doesn't plan on fixing it.
• Apple is aware of the flaw and has already patched it but just not shipped the fix yet.
• Apple hasn't realised that the vulnerability even exists and won't be fixing it on that account.

Of course, we know now that Apple did know about the Vim issue mentioned above, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns…

…but keeping silent even about bugs that are already well-known – as well as documented and fixed by other vendors – seems a strange choice.

What's fixed?

A few of the macOS fixes caught our eye:

For example, the latest update includes a patch on older macOS versions for CVE-2019-20807, a remote code execution bug in Vim, an open source text editor that ships as part of the macOS distribution and is extremely popular and widely used in the technical community:

That bug has been well-documented since early 2020, and clearly dates back to 2019, so Apple's policy of not saying whether it's looking into already-known vulnerabilities or not, but of keeping quiet unless and until an update turns up, leaves users uncertain as to whether:

• Apple's implementation of the vulnerable product is built in such as way as to be immune.
• Apple is aware of the flaw but has decided it's unimportant and doesn't plan on fixing it.
• Apple is aware of the flaw and has already patched it but just not shipped the fix yet.
• Apple hasn't realised that the vulnerability even exists and won't be fixing it on that account.

Of course, we know now that Apple did know about the Vim issue mentioned above, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns…

…but keeping silent even about bugs that are already well-known – as well as documented and fixed by other vendors – seems a strange choice.

What's fixed?

A few of the macOS fixes caught our eye:

• Several file handling bugs could lead to remote code execution. Bugs that could be abused to implant malware simply by opening up a booby-trapped multimedia file were patched in several parts of the system. The CoreAudio, ImageIO, and Model I/O system libraries are all listed as having file processing bugs, but Apple hasn't given an exhaustive list of which file formats are the risky ones. (See CVE-2020-9884, CVE-2020-9889, CVE-2020-9888, CVE-2020-9890, CVE-2020-9891, CVE-2020-9866, CVE-2020-9936, CVE-2020-9878.)

  Note that even if a bug exists in a file type that you never use, such as an arcane image or video format, you are still at risk from booby-trapped web downloads or email attachments.

  After all, the operating system knows what file types it can handle and will typically choose which file processing code to use automatically, so the crooks don't have to rely on you jumping through hoops to figure out how to infect yourself by mistake when they send you files with extensions you've never heard of.

• A bug in the macOS Crash Reporter could allow a sandbox escape. The sandbox is used to prevent software from using parts of the system that it will never need, thus minimising the damage it can do, even by accident. So there's a wry irony that the very tool that's supposed to help you submit security reports to Apple could be abused by a malicious app to let it wriggle out of those sandox safety constraints. (See CVE-2020-9865.)
• Several kernel-level bugs that could lead to remote code execution at the highest privilege. Implanting malware via a kernel exploit gives an attacker much more control than just taking over a regular user account, and more even than getting an administrator-level (root) login. (See: CVE-2020-9799, CVE-2019-14899, CVE-2020-9864.)
• A VPN hole that could let someone mess with encrypted network traffic. In Apple's words, 'an attacker in a privileged network position may be able to inject into active connections within a VPN tunnel.' (CVE-2019-14899.)

There are also a bunch of fixes in Safari, including patches for remote code execution vulnerabilities, that you need to download separately if you are still using macOS Mojave or High Sierra. (On the latest version, macOS Catalina, the Safari update arrives along with the main macOS patches.)

Users of iOS 13 on iPhones and iPads get an update to 13.6 covering many of the bugs listed above, given that macOS and iOS share a huge amount of code.

About IOS 13 Updates - Apple Support

The iOS 12.4.8 update, however which is the only pre-13 iOS version still supported, 'has no published CVE entries', according to Apple, which implies that it received little more than a touch of spit-and-polish.

What to do?

Get the updates while they're hot!

Samsung gear 360 software. There's nothing here that sounds anywhere near as dramatic as Microsoft's just-patched 'SIGRed' bug in its DNS server, but that bug admittedly attracted special attention as much because of its funky name (dramatically channelling the 'Code Red' worm of 2001) as because of its current danger.

Kernel-level remote code execution risks like the ones listed above are always worth patching as quickly as you can, because they can be considered trophy bugs for any cybercriminal.

A crook who figured out a working exploit for any of the kernel holes mentioned would almost certainly (and immediately) find any number of willing buyers on the dark web.

On a Mac, go to Apple menu > System Preferences > Software Update.

On iPhones and iPads, it's Settings > General > Software Update.

After the update, depending how many Apple devices you have, you should be on some, many or all of: iOS 12.4.8, iOS 13.6, macOS 10.15.6 (if you are on Catalina), macOS 10.13.6 with Security Update 2020-004 (High Sierra), macOS 10.14.6 with Security Update 2020-004 (Mojave), and Safari 13.1.2.

How to get updates for macOS Mojave or later

If you've upgraded to macOS Mojave or later, follow these steps to keep it up to date:

1. Choose System Preferences from the Apple menu , then click Software Update to check for updates.
   
2. If any updates are available, click the Update Now button to install them. Or click 'More info' to see details about each update and select specific updates to install.
   
3. When Software Update says that your Mac is up to date, the installed version of macOS and all of its apps are also up to date. That includes Safari, iTunes, Books, Messages, Mail, Calendar, Photos, and FaceTime.

To find updates for iMovie, Garageband, Pages, Numbers, Keynote, and other apps that were downloaded separately from the App Store, open the App Store on your Mac, then click the Updates tab.

To automatically install macOS updates in the future, including apps that were downloaded separately from the App Store, select 'Automatically keep my Mac up to date.' Your Mac will notify you when updates require it to restart, so you can always choose to install those later.

How to get updates for earlier macOS versions

If you're using an earlier macOS, such as macOS High Sierra, Sierra, El Capitan, or earlier,* follow these steps to keep it up to date:

See All Results For This Question

1. Open the App Store app on your Mac.
2. Click Updates in the App Store toolbar.
3. Use the Update buttons to download and install any updates listed.
4. When the App Store shows no more updates, the installed version of macOS and all of its apps are up to date. That includes Safari, iTunes, iBooks, Messages, Mail, Calendar, Photos, and FaceTime. Later versions may be available by upgrading your macOS.

To automatically download updates in the future, choose Apple menu  > System Preferences, click App Store, then select 'Download newly available updates in the background.' Your Mac will notify you when updates are ready to install.

* If you're using OS X Lion or Snow Leopard, get OS X updates by choosing Apple menu  > Software Update.

How to get updates for iOS

Learn how to update your iPhone, iPad, or iPod touch to the latest version of iOS. Apple laptop for graphic design.

Learn more

• Learn how to upgrade to the latest version of macOS.
• Find out which macOS your Mac is using.
• You can redownload apps that you previously downloaded from the App Store.
• Your Mac doesn't automatically download large updates when it's using a Personal Hotspot.