![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/03\/ios-software-update-available-icon-600x300-e1558142227486.png\"){kind=icon}
<\/p>\n<\/p>\n
UPDATE:\u00a0<\/strong>On Friday, September 27, Apple released two more updates\u2014iOS 13.1.1 and iPadOS 13.1.1\u2014to address the following issue:<\/p>\n Sandbox On Thursday, September 26, Apple released security updates for iOS, watchOS, and three macOS versions, and over the past week Apple also fixed security flaws in iPadOS, Safari for Mac, Xcode, and tvOS. Apple finally provided security notes today for all of these updates. Here’s a brief rundown of new features and security related fixes included with each update.<\/p>\n The focus of today’s updates was a single security related issue:<\/p>\n Foundation This issue was serious enough for Apple to push out an update that’s even available for those running older iOS and watchOS versions:<\/p>\n It would be nice if Apple supported the two previous iOS versions with security updates just like it does with macOS, but I expect this to be a one-off event due to the apparent threat level of the addressed issue.<\/p>\n Perhaps this surprise iOS 12 security update could also have something to do with the recency of iOS 13’s release; some users may not have figured out that their iPhone 6, for example, is ineligible for iOS 13, and haven’t yet purchased a newer phone.<\/p>\n On the other hand, perhaps this could be a sign that Apple might continue to release security updates for the previous major iOS version, but only time will tell.<\/p>\n Meanwhile, it makes sense for Apple to have updated watchOS 5 even though watchOS has 6 is out, specifically because Apple has delayed the release of watchOS 6 for the Apple Watch Series 1 and 2 until “later this year.”<\/p>\n Over the last week, of course, we have seen the release of major updates for every Apple operating system except for macOS (Catalina is delayed until sometime in October), as well as Xcode and Safari for macOS, but Apple completely held back the security details until today.<\/p>\n When this happens, we can assume this is because the issues have not yet been addressed on some of Apple’s platforms (or in rarer cases, like with\u00a0Meltdown and Spectre<\/a>\u00a0last year, multiple companies may be planning a coordinated disclosure). Once Apple releases all the patches (or at the appointed time of a coordinated disclosure), security notes follow.<\/p>\n The notes for today’s updates as well as the earlier updates were all published simultaneously today, so now we can give you the skinny on all of them.<\/p>\n iOS 13 saw at least nine security related issues addressed, followed by another in iOS 13.1, and today one of the bugs that had been fixed in iOS 13 (the Foundation issue described above) was also fixed in iOS 12.4.2.<\/p>\n A few interesting fixes in iOS 13 (in addition to the Keyboards issue described in the tvOS section below) included:<\/p>\n Face ID Messages Safari iOS 13.1 and iPadOS 13.1 only include one documented security fix (for another “lock screen bypass” bug similar to the Messages one above):<\/p>\n VoiceOver iOS 13.1 and iPadOS 13.1 can be downloaded over the air (i.e. directly onto a device) by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong>. You can also connect your iOS device to your Mac and use the iTunes app to check for, download, and install the iOS update.<\/p>\n Strangely, Apple still hasn’t fixed a flaw in the iOS version of Safari that allows anyone to send fake news headlines<\/a> from popular news sites\u2014a bug discovered more than seven months ago.<\/p>\n Apple still hasn’t fixed this 7-month-old iOS Safari\/Messages bug<\/a>.<\/p><\/div>\n Safari 13, at the time of its release on September 19, only saw one issue addressed:<\/p>\n WebKit Page Loading Safari 13.0.1, released on September 24, added two more fixes:<\/p>\n Safari Service Workers Users of macOS Mojave and High Sierra can install the latest version of Safari via\u00a0Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>.<\/p>\n Although watchOS 6 was released on September 19 (for Apple Watch Series 3, 4, and 5), we finally learned today that the only security issue addressed was the one for Foundation, described above. Meanwhile, watchOS 5.3.2 (for Apple Watch Series 1 and 2) was released today and addressed the same security issue.<\/p>\n The new watchOS update can be installed by connecting your Apple Watch to its charger, then on the iPhone open the Apple Watch app<\/strong> > My Watch tab<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n We learned today that tvOS 13, released on September 24, included one newly documented security fix (which was also fixed in iOS 13 for iPhone 6s and later):<\/p>\n Keyboards The tvOS update can be downloaded directly from the Apple TV by going to Settings<\/strong> > System<\/strong> > Update Software<\/strong>.<\/p>\n Xcode, Apple’s software development suite, received a major update to version 11.0 on September 20, and it included fixes for seven security issues. Registered developers can download Xcode via Apple’s developer downloads page<\/a>.<\/p>\n Apple’s update release schedule has been a bit messy lately, and this in turn has led to the security notes being unavailable or incomplete for more than a week in some cases.<\/p>\n There is always the possibility of additional entries being added at a later date, particularly if a future Apple update addresses another bug that was silently addressed in past updates, or if there are coordinated vulnerability disclosures as mentioned above.<\/p>\n Whether you’re using iOS, iPadOS, or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned. The most thorough way to back up your iOS or iPadOS device is to connect it to your computer and create an encrypted backup via the iTunes app, but you can also back up your device to iCloud as well. For backing up your Mac, see our related article:<\/p>\n How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\n
\n<\/strong>Impact: Third party app extensions may not receive the correct sandbox restrictions
\nDescription: A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct restrictions.<\/p><\/blockquote>\n
\n
\n<\/strong>Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
\nDescription: An out-of-bounds read was addressed with improved input validation.<\/p><\/blockquote>\n\n
Normally, iOS and watchOS get updates for one version<\/h3>\n
Delays in disclosure<\/h3>\n
iOS 13, 13.1, 12.4.2 and iPadOS 13.1<\/h3>\n
\n<\/strong>Available for: iPhone X and later
\nImpact: A 3D model constructed to look like the enrolled user may authenticate via Face ID
\nDescription: This issue was addressed by improving Face ID machine learning models.<\/p>\n
\n<\/strong>Available for: iPhone 6s and later
\nImpact: A person with physical access to an iOS device may be able to access contacts from the lock screen
\nDescription: The issue was addressed by restricting options offered on a locked device.<\/p>\n
\n<\/strong>Available for: iPhone 6s and later
\nImpact: Visiting a malicious website may lead to address bar spoofing
\nDescription: A logic issue was addressed with improved state management.<\/p><\/blockquote>\n
\n<\/strong>Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
\nImpact: A person with physical access to an iOS device may be able to access contacts from the lock screen
\nDescription: The issue was addressed by restricting options offered on a locked device.<\/p><\/blockquote>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-Safari-iMessage-bug-false-headline-fake-news-600x420.png\")
Safari 13 and 13.0.1<\/h3>\n
\n<\/strong>Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6
\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting
\nDescription: A logic issue was addressed with improved state management.<\/p><\/blockquote>\n
\n<\/strong>Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
\nImpact: Visiting a malicious website may lead to user interface spoofing
\nDescription: An inconsistent user interface issue was addressed with improved state management.<\/p><\/blockquote>\n
\n<\/strong>Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
\nImpact: Service workers may leak private browsing history
\nDescription: The issue was addressed with improved handling of service worker lifetime.<\/p><\/blockquote>\nwatchOS 6 and 5.3.2<\/h3>\n
tvOS 13<\/h3>\n
\n<\/strong>Available for: Apple TV 4K and Apple TV HD
\nImpact: A local user may be able to leak sensitive user information
\nDescription: An authentication issue was addressed with improved state management.<\/p><\/blockquote>\nXcode 11.0<\/h3>\n
A mess of updates<\/h3>\n
Back up your Macs and mobile devices before updating<\/h3>\n