![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/03\/ios-software-update-available-icon-600x300-e1558142227486.png\"){kind=icon}
<\/p>\n<\/p>\n
This week, Apple again released updates to all of their operating systems and to the Safari web browser. One of the zero-day security vulnerabilities that was patched allowed malware to take screenshots on infected Macs. The malware, named XCSSET<\/a>, was found to be actively exploiting this vulnerability in the wild. The good news for VirusBarrier<\/a> users is that you’ve been protected from the XCSSET malware <\/strong>while Apple scrambled to implement these fixes.<\/p>\n Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) With the last update less than three weeks ago, Apple still managed to fix 43 security related issues. Here are some of them:<\/p>\n Core Services ImageIO Kernel Mail Notes The full list of security issues addressed can be found here<\/a>.<\/p>\n To install these latest updates, go to Settings<\/strong> > General<\/strong> > Software Update<\/strong> on your device. You can also connect your device to a Mac or Windows PC and use iTunes, or the Finder (in macOS Catalina or Big Sur), to update it.<\/p>\n No updates were made available for iOS 12 or 13 again. With the severity of the issues fixed in iOS 14 so far, continued use of these older iOS versions is not recommended. No further updates, or a dramatic decrease in frequency in updates, for these older iOS versions are expected in the future.<\/p>\n Available for: the Apple TV HD and Apple TV 4K The full list of security issues addressed can be found here<\/a>. Available for: Apple Watch Series 3 and later<\/p>\n watchOS 7.5 includes new features, improvements, and bug fixes:<\/p>\n A total of 25 security issues were addressed. Most of them the same as those addressed in iOS 14.6, iPadOS 14.6, and tvOS 14.6.<\/p>\n The full list of security issues addressed can be found here<\/a>.<\/p>\n To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General<\/strong> > Software Update<\/strong>.<\/p>\n As with older versions of iOS, watchOS 6 has not benefited from this round of security updates. This makes continued use of the older operating system something to reconsider.<\/p>\n macOS Big Sur 11.4 adds Apple Podcasts subscriptions and channels and includes important bug fixes.<\/p>\n Podcasts<\/strong><\/p>\n This release also fixes the following issues:<\/p>\n Then there are the security fixes, 73 in total, making this a significant update. here are a few of the highlights:<\/p>\n App Store Dock Login Window Software Update TCC The full list of security issues addressed can be found here<\/a>. The latest security update for macOS Catalina includes 48 security fixes, and are the same as those found in the latest Big Sur update.<\/p>\n The full list of security issues addressed can be found here<\/a>. The latest security update for Mojave includes 42 security fixes and are the same as those found in the latest Big Sur update.<\/p>\n The full list of security issues addressed can be found here<\/a>. It is worth noting that the Transparency Consent and Control (TTC) framework, that was patched in Big Sur to mitigate the XCSSET malware exploit, was not patched in macOS Catalina or Mojave. Catalina received one TTC patch unrelated to the malware exploit and Mojave received no TTC patches at all. As these two previous macOS versions are still supported with security updates, we can only assume that the malware was unable to exploit the framework in the same way as it did on Big Sur.<\/p>\n Still, users of these previous macOS versions may want to adopt the “better safe than sorry” philosophy and grab VirusBarrier for added protection.<\/p>\n Available for: macOS Catalina and macOS Mojave Whether you’re using iOS, iPadOS, or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.<\/p>\n See also our related article on checking your macOS backups: We discuss these security updates and more in episode 189 of the Intego Mac Podcast.
\nXCSSET was discovered late last year and targets Mac developers by infecting Xcode projects, using them to spread through Github repositories.<\/p>\niOS 14.6 and iPadOS 14.6<\/h3>\n
\nNew features, functionality and bug fixes include:<\/p>\n\n
\n<\/strong>Impact: A malicious application may be able to gain root privileges
\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.<\/p><\/blockquote>\n
\n<\/strong>Impact: Processing a maliciously crafted image may lead to disclosure of user information
\nDescription: An out-of-bounds read was addressed with improved bounds checking.<\/p><\/blockquote>\n
\n<\/strong>Impact: A malicious application may be able to execute arbitrary code with kernel privileges
\nDescription: A logic issue was addressed with improved validation.<\/p><\/blockquote>\n
\n<\/strong>Impact: Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination
\nDescription: A use after free issue was addressed with improved memory management.<\/p><\/blockquote>\n
\n<\/strong>Impact: A user may be able to view restricted content from the lockscreen
\nDescription: A window management issue was addressed with improved state management.<\/p><\/blockquote>\niOS 12 & 13<\/h3>\n
tvOS 14.6<\/h3>\n
\nNo new features or functionality this time around, just the typical performance and stability improvements. Of course there are some security related fixes as well, 26 of them, most of which are the same as those addressed in iOS and iPadOS 14.6.<\/p>\n
\nThe tvOS update can be downloaded directly from the Apple TV by going to Settings<\/strong> > System<\/strong> > Update Software<\/strong>.<\/p>\nwatchOS 7.5<\/h3>\n
\n
watchOS 6<\/h3>\n
macOS Big Sur 11.4<\/h3>\n
\n\n
\n
\n<\/strong>Impact: A malicious application may be able to break out of its sandbox
\nDescription: A path handling issue was addressed with improved validation.<\/p>\n
\n<\/strong>Impact: A malicious application may be able to access a user’s call history
\nDescription: An access issue was addressed with improved access restrictions.<\/p>\n
\n<\/strong>Impact: A person with physical access to a Mac may be able to bypass Login Window
\nDescription: A logic issue was addressed with improved state management.<\/p>\n
\n<\/strong>Impact: A person with physical access to a Mac may be able to bypass Login Window during a software update
\nDescription: This issue was addressed with improved checks.<\/p>\n
\n<\/strong>Impact: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.
\nDescription: A permissions issue was addressed with improved validation.
\nThis is the zero-day vulnerability the XCSSET malware was exploiting.<\/p><\/blockquote>\n
\nTo get this update, visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>).<\/p>\nSecurity Update 2021-003 Catalina<\/h3>\n
\nTo get this update, visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>)
\nThis security update is not available yet on Apple’s downloads website<\/a> at the time of writing.<\/p>\nSecurity Update 2021-004 Mojave<\/h3>\n
\nTo get this update, visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>)
\nThis security update is not available yet on Apple’s downloads website<\/a> at the time of writing.<\/p>\nSafari 14.1.1<\/h3>\n
\nThis is a small update for Mojave and Catalina users that fixes 10 security vulnerabilities<\/a>.
\nTo get this update, visit the Software Update pane in System Preferences (Apple menu<\/strong> > System Preferences…<\/strong> > Software Update<\/strong>). For Big Sur users the latest version of Safari is built into the 11.4 update.<\/p>\n
\nHow to Verify Your Backups are Working Properly<\/a><\/p>\nHow can I learn more?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\")
<\/a>Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n
\n