![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/03\/ios-software-update-available-icon-600x300-e1558142227486.png\"){kind=icon}
<\/p>\n<\/p>\n
Over the last two weeks, Apple released updates to all of its operating systems and Safari browser. Here’s a brief rundown of new features and security related fixes included with each update.<\/p>\n
Note that Apple withheld security notes for the May 18th and May 20th\u00a0<\/span>updates<\/span> until macOS update notes were released on May 26th. Below we’ve included selections from all of these updates, including newly released details.<\/span><\/p>\n Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation<\/p>\n Apple describes these updates’ new features as follows:<\/p>\n iOS 13.5 speeds up access to the passcode field on devices with Face ID when you are wearing a face mask and introduces the Exposure Notification API to support COVID-19 contact tracing apps from public health authorities. This update also introduces an option to control automatic prominence of video tiles on Group FaceTime calls and includes bug fixes and other improvements. A few highlights:<\/p>\n Some security-related issues were addressed as well, 45 of which were specifically named\u2014which makes this quite a big update. Here’s a sampling of some of the noteworthy vulnerabilities that were addressed:<\/p>\n Accounts The kernel, the core component of the operating system, received ten named fixes that addressed serious issues such as the access of restricted memory by applications and arbitrary code execution. There were also nine named security fixes related to WebKit, a page-rendering framework utilized by Safari and many other parts of the operating system.<\/p>\n The full list of security issues addressed can be found here<\/a>. It’s a long list, and some pretty significant security issues have been resolved, making this update worth prioritizing.<\/p>\n Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation<\/p>\n Apple describes iOS 12.4.7 simply as an update that “provides important security updates and is recommended for all users.” Apple names three specific security related issues: two for Mail, and one for Wi-Fi.<\/p>\n Regardless of whether your device is compatible with iOS 13 or iPadOS 13, or if it is limited to iOS 12, you can obtain the updates over the air by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong>. You can also connect your iOS device to your Mac and let iTunes do the update for you.<\/p>\n Apple simply states that tvOS 13.4.5 “includes general performance and stability improvements.” Available for the Apple TV HD and Apple TV 4K’s, 31 security issues were specifically mentioned as having been addressed. Most of them the same as those addressed in iOS and iPadOS 13.5. Among other parts of the operating system, the kernel, WebKit, and AppleMobileFileIntegrity all had some work done to make them more secure.<\/p>\n The full list of security issues addressed can be found here<\/a>. The tvOS update can be downloaded directly from the Apple TV by going to Settings<\/strong> > System<\/strong> > Update Software<\/strong>.<\/p>\n Available for: Apple Watch Series 1 and later<\/p>\n Apple says that watchOS 6.2.5 includes “new features, improvements, and bug fixes.”<\/span><\/p>\n A total of 32 security-related issues were named as having been fixed. As one might expect, these issues overlap with those addressed in the latest iOS, iPadOS, and tvOS updates.<\/p>\n The full list of security issues addressed can be found here<\/a>.<\/p>\n Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed<\/p>\n Similar to the iOS 12.4.7 update, Apple simply states that watchOS 5.3.7 “provides important security updates and is recommended for all users.” Apple has addressed two security related issues: one for Mail, and one for Wi-Fi.<\/p>\n watchOS can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app<\/strong> > My Watch tab<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n The latest version of Safari,\u00a0<\/span>included in macOS Catalina and also<\/span> available for macOS Mojave and macOS High Sierra, contains improvement to tabs, performance and security. Ten security issues were specifically mentioned as having been addressed, including the following:<\/span><\/p>\n Safari Out of the ten fixes, nine were for WebKit.<\/p>\n The full list of security issues addressed can be found here<\/a>. Safari 13.1.1 can be downloaded through the Updates<\/strong> tab of the App Store<\/strong> for High Sierra and through System Preferences<\/strong> > Software Update<\/strong> for Mojave. For macOS Catalina, it is included in macOS 10.15.5.<\/p>\n Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:<\/p>\n macOS Catalina 10.15.5 introduces battery health management in the Energy Saver settings for notebooks, a new option to disable automatic prominence in Group FaceTime calls, and controls to fine-tune the built-in calibration of your Pro Display XDR. The update also improves the stability, reliability, and security of your Mac.<\/p>\n<\/div>\n<\/blockquote>\n The list of (non-security) enhancements and fixes is long, and can be viewed in full here on Apple’s website<\/a>. Among the highlights:<\/p>\n<\/div>\n Of course, there are security-related fixes included as well, 48 of which Apple specifically names. Of these, 18 are exclusively available for macOS Catalina, and the rest are available for all of the currently supported macOS versions. Some of the highlights:<\/p>\n Accounts The Kernel received 10 named fixes. This alone makes these updates worth installing sooner rather than later. Whether you’re using iOS, iPadOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.<\/p>\n See also our related article on checking your macOS backups:<\/p>\n How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\niOS 13.5 and iPadOS 13.5<\/h3>\n
\n
\n<\/strong>Impact: A remote attacker may be able to cause a denial of service
\nDescription: A denial of service issue was addressed with improved input validation.
\n<\/strong>
\nAirDrop
\n<\/strong>Impact: A remote attacker may be able to cause a denial of service
\nDescription: A denial of service issue was addressed with improved input validation.
\n<\/strong>
\nAppleMobileFileIntegrity
\n<\/strong>Impact: A malicious application could interact with system processes to access private information and perform privileged actions
\nDescription: An entitlement parsing issue was addressed with improved parsing.
\n<\/strong>
\nBluetooth
\n<\/strong>Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
\nDescription: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.
\n<\/strong>
\nFaceTime
\n<\/strong>Impact: A user\u2019s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing
\nDescription: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.
\n<\/strong>
\nMessages
\n<\/strong>Impact: Users removed from an iMessage conversation may still be able to alter state
\nDescription: This issue was addressed with improved checks.<\/p><\/blockquote>\niOS 12.4.7<\/h3>\n
tvOS 13.4.5<\/h3>\n
watchOS 6.2.5<\/h3>\n
watchOS 5.3.7<\/h3>\n
Safari 13.1.1<\/h3>\n
\n<\/strong>Impact: A malicious process may cause Safari to launch an application
\nDescription: A logic issue was addressed with improved restrictions.
\n<\/strong>
\nWebKit
\n<\/strong>Impact: Processing maliciously crafted web content may lead to universal cross site scripting
\nDescription: A logic issue was addressed with improved restrictions.<\/p><\/blockquote>\nmacOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra<\/h3>\n
\n
\n\n\n
\n\n
\nyour own display-calibration target<\/li>\n
\n<\/strong>Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
\nImpact: A sandboxed process may be able to circumvent sandbox restrictions
\nDescription: A logic issue was addressed with improved restrictions.
\n<\/strong>
\nAppleUSBNetworking
\n<\/strong>Available for: macOS Catalina 10.15.4
\nImpact: Inserting a USB device that sends invalid messages may cause a kernel panic
\nDescription: A logic issue was addressed with improved restrictions.
\n<\/strong>
\nCalendar
\n<\/strong>Available for: macOS Catalina 10.15.4
\nImpact: Importing a maliciously crafted calendar invitation may exfiltrate user information
\nDescription: This issue was addressed with improved checks.
\n<\/strong>
\nFontParser<\/strong>
\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4
\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.
\n<\/strong>
\nSIP (System Integrity Protection<\/a>)
\n<\/strong>Available for: macOS Catalina 10.15.4
\nImpact: A non-privileged user may be able to modify restricted network settings
\nDescription: A logic issue was addressed with improved restrictions.<\/p><\/blockquote>\n
\nThe full list of security issues addressed can be found here<\/a>. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>) instead. Standalone updates can also be downloaded from the following links:<\/p>\n\n