![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/03\/ios-software-update-available-icon-600x300-e1558142227486.png\"){kind=icon}
<\/p>\n<\/p>\n
This week Apple released updates to all of its operating systems and Safari browser. Here’s a brief rundown of new features and security-related fixes included with each update.<\/p>\n
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation<\/p>\n
Apple describes these updates’ new features as follows:<\/p>\n
iOS 13.6 adds support for digital car keys, introduces audio stories in Apple News+ (US only), and contains a new symptoms category in the Health app. This release also includes bug fixes and improvements.<\/p><\/blockquote>\n
iPadOS 13.6 introduces local news in your Today feed in Apple News (US only) and includes bug fixes and improvements for your iPad.<\/p><\/blockquote>\n
Following is sampling of the (non-security) bug fixes and improvements in these updates:<\/p>\n
\n\n
- Adds a new setting to choose if updates automatically download to your device when on Wi-Fi<\/li>\n
- Addresses stability issues when accessing Control Center when Assistive Touch was enabled<\/li>\n
- [iOS only] Fixes an issues that prevented some iPhone 6S and iPhone SE devices from registering for Wi-Fi Calling<\/li>\n
- [iOS only] Fixes an issue that could cause data roaming to appear to be disabled on eSIM even though it remained active<\/li>\n<\/ul>\n<\/blockquote>\n
Many security-related issues were addressed as well, 29 of which are specifically mentioned. Here are some of them:<\/p>\n
Audio
\n<\/strong>Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
\nDescription: An out-of-bounds read was addressed with improved bounds checking.
\n<\/strong>
\nBluetooth
\n<\/strong>Impact: A remote attacker may cause an unexpected application termination
\nDescription: A denial of service issue was addressed with improved input validation.
\n<\/strong>
\nCoreFoundation
\n<\/strong>Impact: A local user may be able to view sensitive user information
\nDescription: An issue existed in the handling of environment variables. This issue was addressed with improved validation.
\n<\/strong>
\nGeoServices
\n<\/strong>Impact: A malicious application may be able to read sensitive location information
\nDescription: An authorization issue was addressed with improved state management.
\n<\/strong>
\nImageIO
\n<\/strong>Impact: Processing a maliciously crafted image may lead to arbitrary code execution
\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.
\n<\/strong>
\nMessages
\n<\/strong>Impact: A user that is removed from an iMessage group could rejoin the group
\nDescription: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.
\n<\/strong>
\nSafari Login AutoFill
\n<\/strong>Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain
\nDescription: A logic issue was addressed with improved restrictions.<\/p><\/blockquote>\nThree of the fixes were for bugs in the kernel, the core component of the operating system, addressing serious issues such as the access of restricted memory by applications and arbitrary code execution. There were also several security fixes related to WebKit, a page-rendering framework utilized by Safari and many other parts of the operating system.<\/p>\n
The full list of security issues addressed can be found here<\/a>.<\/p>\n
iOS 12.4.8<\/h3>\n
Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation<\/p>\n
Apple describes iOS 12.4.8 simply as an update that “provides important security updates and is recommended for all users.” No specific security-related release notes were available at the time of writing. Apple’s website simply states, “This update has no published CVE entries.<\/span>” This statement sometimes means that security issues were addressed that can not yet be published, as those same issues exist in other operating systems that have not been fixed yet.<\/p>\n
Regardless of whether your device is compatible with iOS 13 or iPadOS 13, or if it is limited to iOS 12, you can obtain the updates over the air (without tethering to a computer) by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong>. You can also connect your device to your Mac (or your Windows PC with iTunes) to install the update.<\/p>\n
tvOS 13.4.8<\/h3>\n
Apple simply states that tvOS 13.4.8 “includes general performance and stability improvements.” Available for the Apple TV 4K and Apple TV HD, and a total of 20 security issues were specifically mentioned, most of which are the same as those addressed in iOS and iPadOS 13.4.8. Among other parts of the operating system, the kernel, WebKit, and GeoServices all had some work done to make them more secure.<\/p>\n
The full list of security issues addressed can be found here<\/a>. The tvOS update can be downloaded directly from the Apple TV by going to Settings<\/strong> > System<\/strong> > Update Software<\/strong>.<\/p>\n
watchOS 6.2.8<\/h3>\n
Available for: Apple Watch Series 1 and later<\/p>\n
Apple says that watchOS 6.2.8 includes the following “new features and improvements”:<\/p>\n
\n\n
- Adds support for digital car keys for Apple Watch Series 5<\/li>\n
- ECG app on Apple Watch Series 4 or later now available in Bahrain, Brazil, and South Africa<\/li>\n
- Irregular heart rhythm notifications now available in Bahrain, Brazil, and South Africa<\/li>\n<\/ul>\n<\/blockquote>\n
A total of 19 security related issues were specifically mentioned as having been fixed. As one might expect, these issues overlap with those addressed in iOS, iPadOS, and tvOS.<\/p>\n
The full list of security issues addressed can be found here<\/a>.<\/p>\n
watchOS 5.3.8<\/h3>\n
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed<\/p>\n
Similar to the iOS 12.4.8 update, Apple simply states that watchOS 5.3.8 “provides important security updates and is recommended for all users.” No security-related release notes were available at the time of writing. Apple’s website simply states “This update has no published CVE entries.<\/span>” Again, like the iOS 12.4.8 update, this could potentially mean that security issues were addressed that can not yet be published, as those same issues may exist in other operating systems that have not been fixed yet.<\/p>\n
watchOS can be updated by connecting the watch to its charger, then on the iPhone open the Apple Watch app<\/strong> > My Watch tab<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n
Safari 13.1.2<\/h3>\n
The latest version of Safari,\u00a0<\/span>included in macOS Catalina and also<\/span> available for macOS Mojave and macOS High Sierra, contains improvement to tabs, performance, and security. Eleven security issues were specifically mentioned, and two of the most notable are as follows:<\/span><\/p>\n
Safari Downloads
\n<\/strong>Impact: A malicious attacker may be able to change the origin of a frame for a download in Safari Reader mode
\nDescription: A logic issue was addressed with improved restrictions.Safari Downloads
\n<\/strong>
\nSafari Login AutoFill
\n<\/strong>Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain
\nDescription: A logic issue was addressed with improved restrictions.<\/p><\/blockquote>\nOut of the eleven fixes, eight of which address the aforementioned WebKit vulnerabilities.<\/p>\n
The full list of security issues addressed can be found here<\/a>. Safari 13.1.2 can be downloaded through the Updates<\/strong> tab of the App Store<\/strong> for High Sierra and through System Preferences<\/strong> > Software Update<\/strong> for Mojave. For macOS Catalina, it is included in macOS 10.15.6.<\/p>\n
macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra<\/h3>\n
Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:<\/p>\n
\n\nmacOS Catalina 10.15.6 introduces local news in your Today feed in Apple News and improves the security and reliability of your Mac. A few highlights:<\/p>\n
\n
- Adds a new option to optimize video streaming on HDR-compatible Mac notebooks for improved battery life<\/li>\n
- Fixes an issue where the computer name may change after installing a software update<\/li>\n
- Resolves an issue where certain USB mouse and trackpads may lose connection<\/li>\n
- (Enterprise) Major new releases of macOS can be hidden when using the
softwareupdate(8)<\/code> command with the--ignore<\/code> flag, if the Mac is enrolled in Apple School Manager, Apple Business Manager, or a user-approved MDM.<\/li>\n<\/ul>\n<\/div>\n<\/blockquote>\nOf course there are security fixes included as well, of which 19 are specifically named. Of these, 17 are exclusively available for macOS Catalina and are not addressed for previous macOS versions. As is typical, Apple did not clarify in its security release notes whether the issues only addressed for Catalina are non-issues in Mojave and High Sierra, or whether Apple decided to only address the issues for Catalina even though older macOS versions may be affected.<\/p>\n
Some of the highlights include:<\/p>\n
CoreFoundation
\n<\/strong>Available for: macOS Catalina 10.15.5
\nImpact: A local user may be able to view sensitive user information
\nDescription: An issue existed in the handling of environment variables. This issue was addressed with improved validation.Safari Downloads
\n<\/strong>
\nMail
\n<\/strong>Available for: macOS Catalina 10.15.5
\nImpact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service
\nDescription: An input validation issue was addressed.Safari Downloads
\n<\/strong>
\nMessages
\n<\/strong>Available for: macOS Catalina 10.15.5
\nImpact: A user that is removed from an iMessage group could rejoin the group
\nDescription: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.Safari Downloads
\n<\/strong>
\nVim (a command-line text editor included with UNIX and macOS)
\n<\/strong>Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
\nImpact: A remote attacker may be able to cause arbitrary code execution
\nDescription: This issue was addressed with improved checks.Safari Downloads
\n<\/strong>
\nCoreAudio
\n<\/strong>Available for: macOS High Sierra 10.13.6
\nImpact: A buffer overflow may result in arbitrary code execution
\nDescription: A buffer overflow was addressed with improved bounds checking.<\/p><\/blockquote>\nThe full list of security issues addressed can be found here<\/a>. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>) instead. Standalone updates can also be downloaded from the following links:<\/p>\n
\n
- macOS Catalina 10.15.6 Update<\/a> (for 10.15.5)<\/li>\n
- macOS Catalina 10.15.6 Combo Update<\/a> (for 10.15 through 10.15.4)<\/li>\n
- Security Update 2020-004 (Mojave)<\/a><\/li>\n
- Security Update 2020-004 (High Sierra)<\/a><\/li>\n<\/ul>\n
Whether you’re using iOS, iPadOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.<\/p>\n
See also our related article on checking your macOS backups:<\/p>\n
How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\n