![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/03\/ios-software-update-available-icon-600x300-e1558142227486.png\"){kind=icon}
<\/p>\n<\/p>\n
Apple released updates to all of its operating systems and Safari browser today. Here’s a brief rundown of new features and security-related fixes included with each update.<\/p>\n
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation<\/p>\n
Apple describes these updates’ new features as follows:<\/p>\n
iOS 13.4 introduces new Memoji stickers and iCloud Drive folder sharing from the Files app. This update also contains bug fixes and improvements.<\/p><\/blockquote>\n
The list of fixes is long so you can have a look at the complete list here on Apple’s website<\/a>. Some highlights:<\/p>\n
\n\n
- Adds status bar indicator to display when VPN has disconnected on iPhone models with all-screen displays<\/li>\n
- Fixes an issue in Mail where messages may appear out of order<\/li>\n
- Fixes an issue in Settings where cellular data may incorrectly display as off<\/li>\n
- Fixes an issue in Safari where a CAPTCHA tile may display incorrectly<\/li>\n
- Resolves an issue where CarPlay may lose its connection in certain vehicles<\/li>\n<\/ul>\n<\/blockquote>\n
Several security related issues were addressed as well, 30 of which Apple specifically named. Here are some of them:<\/p>\n
ActionKit<\/strong>
\nImpact: An application may be able to use an SSH client provided by private frameworks
\nDescription: This issue was addressed with a new entitlement.
\n<\/strong>
\nBluetooth
\n<\/strong>Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
\nDescription: A logic issue was addressed with improved state management.
\n<\/strong>
\nMail
\n<\/strong>Impact: A local user may be able to view deleted content in the app switcher
\nDescription: The issue was resolved by clearing application previews when content is deleted.
\n<\/strong>
\nMessages
\n<\/strong>Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled
\nDescription: A logic issue was addressed with improved state management.<\/p><\/blockquote>\nTwo of the fixes were for bugs in the kernel, the core component of the operating system, addressing serious issues such as the access of restricted memory by applications and arbitrary code execution. There were also several security fixes related to WebKit, a page-rendering framework utilized by Safari and many other parts of the operating system.<\/p>\n
The full list of security issues addressed can be found here<\/a>.<\/p>\n
iOS 12.4.6<\/h3>\n
Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation<\/p>\n
Apple describes iOS 12.4.6 simply as an update that “provides important security updates and is recommended for all users.” No specific security-related release notes were available at the time of writing. Apple’s website simply states, “This update has no published CVE entries.<\/span>” This statement sometimes means that security issues were addressed that can not yet be published, as those same issues exist in other operating systems that have not been fixed yet.<\/p>\n
Regardless of whether your device is compatible with iOS 13 or iPadOS 13, or if it is limited to iOS 12, you can obtain the updates\u00a0over the air by going to <\/span>Settings<\/strong> > <\/span>General<\/strong> > <\/span>Software Update<\/strong>. You can also connect your iOS device to your Mac and let iTunes do the update for you.<\/span><\/p>\n
tvOS 13.4<\/h3>\n
Listed simply as an update that includes general performance and stability improvements. Available for the Apple TV HD and Apple TV 4K’s, a total of 20 security issues were addressed. Most of them the same as those addressed in iOS and iPadOS 13.4. Kernel, WebKit and IOHIDFamily all had some work done to make them more secure.<\/p>\n
The full list of security issues addressed can be found here<\/a>. The tvOS update can be downloaded directly from the Apple TV by going to Settings<\/strong> > System<\/strong> > Update Software<\/strong>.<\/p>\n
watchOS 6.2<\/h3>\n
Available for: Apple Watch Series 1 and later<\/p>\n
Apple says that watchOS 6.2 “includes new features, improvements, and bug fixes.”<\/span><\/p>\n
Apple specified 17 security-related issues that were fixed. As one might expect, these overlap with the issues addressed in the latest updates for iOS, iPadOS, and tvOS.<\/p>\n
The full list of security issues addressed can be found here<\/a>.<\/p>\n
watchOS 5.3.6<\/h3>\n
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed<\/p>\n
Similar to the iOS 12.4.6 update, Apple simply states that watchOS 5.3.6 “provides important security updates and is recommended for all users.” No security-related release notes were available at the time of writing. Apple’s website simply states “This update has no published CVE entries.<\/span>” Again, like the iOS 12.4.6 update, this could potentially mean that security issues were addressed that can not yet be published, as those same issues may exist in other operating systems that have not been fixed yet.<\/p>\n
watchOS can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app<\/strong> > My Watch tab<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n
Safari 13.1<\/h3>\n
The latest version of Safari, included in macOS Catalina and also available for macOS Mojave and macOS High Sierra, contains improvement to tabs, performance and security. Apple specifically names 11 security issues that were addressed, a couple of which include:<\/p>\n
Safari Downloads
\n<\/strong>Impact: A malicious iframe may use another website\u2019s download settings
\nDescription: A logic issue was addressed with improved restrictions.
\n<\/strong>
\nWebKit
\n<\/strong>Impact: Processing maliciously crafted web content may lead to arbitrary code execution
\nDescription: A type confusion issue was addressed with improved memory handling.<\/p><\/blockquote>\nOut of the 11 fixes, ten were for WebKit.<\/p>\n
The full list of security issues addressed can be found here<\/a>. Safari 13.1 can be downloaded through the Updates<\/strong> tab of the App Store<\/strong> for High Sierra users and through System Preferences<\/strong> > Software Update<\/strong> for Mojave users. For macOS Catalina users it is included in macOS 10.15.4.<\/p>\n
macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra<\/h3>\n
Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:<\/p>\n
\n\nmacOS Catalina 10.15.4 introduces iCloud Drive folder sharing, Screen Time communication limits, Apple Music time-synced lyrics view, and more. The update also improves the stability, reliability, and security of your Mac.<\/p>\n<\/div>\n<\/blockquote>\n
\nThe list of enhancements and fixes is long and can be viewed in full here on Apple’s website<\/a>. Some highlights include:<\/p>\n<\/div>\n
\n\n\n
- Communication limits for controlling who your children can communicate with and be contacted by throughout the day and during downtime<\/li>\n
- Playback control of music videos for your children<\/li>\n
- Option to import Chrome passwords into your iCloud Keychain for easy AutoFill of your passwords in Safari and across all your devices<\/li>\n
- Head pointer preference for moving a cursor on the screen based on the precise movements of your head<\/li>\n<\/ul>\n<\/div>\n<\/blockquote>\n
Of course there are security-related fixes included as well, of which Apple specifically names 27. Six of these are available for macOS High Sierra and Mojave. The security fixes include:<\/p>\n
Bluetooth
\n<\/strong>Available for: macOS Catalina 10.15.3
\nImpact: A local user may be able to cause unexpected system termination or read kernel memory
\nDescription: An out-of-bounds read was addressed with improved input validation.
\n<\/strong>
\nCall History
\n<\/strong>Available for: macOS Catalina 10.15.3
\nImpact: A malicious application may be able to access a user’s call history
\nDescription: This issue was addressed with a new entitlement.
\n<\/strong>
\nFaceTime
\n<\/strong>Available for: macOS Catalina 10.15.3
\nImpact: A local user may be able to view sensitive user information
\nDescription: A logic issue was addressed with improved state management.
\n<\/strong>
\nMail
\n<\/strong>Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3
\nImpact: A remote attacker may be able to cause arbitrary javascript code execution
\nDescription: An injection issue was addressed with improved validation.
\n<\/strong>
\nTime Machine
\n<\/strong>Available for: macOS Catalina 10.15.3
\nImpact: A local user may be able to read arbitrary files
\nDescription: A logic issue was addressed with improved state management.<\/p><\/blockquote>\nThe full list of security issues addressed can be found here<\/a>. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>) instead. Standalone updates can also be downloaded from the following links:<\/p>\n
\n
- macOS Catalina 10.15.4 Update<\/a> (for 10.15.3)<\/li>\n
- macOS Catalina 10.15.4 Combo Update<\/a> (for 10.15 through 10.15.2)<\/li>\n
- Security Update 2020-002 (Mojave)<\/a><\/li>\n
- Security Update 2020-002 (High Sierra)<\/a><\/li>\n<\/ul>\n
Whether you’re using iOS, iPadOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.<\/p>\n
See also our related article on checking your macOS backups:<\/p>\n
How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\n