This article is more than 1 year old

Apple emits its much-anticipated updates to Mac, AppleTV, and iOS

Security updates. What did you think we were referring to?

Sneaking in behind the hoopla of Tuesday's MacBook spectacle was a set of security updates for virtually all of Apple's supported products.

The Cupertino maker of shiny status symbols has posted security fixes for dozens of CVE-listed vulnerabilities in iOS, macOS, and AppleTV, as well as watchOS and individual applications like iTunes and iCloud.

For iOS, the 12.1 update covers 31 vulnerabilities, most notably nine remote code execution flaws in WebKit, the browser engine that Apple uses to power Safari across both iOS and the macOS. Each of those flaws would allow a web page to target the flaw with code that triggers a memory corruption error.

These vulnerabilities are of particular interest in iOS because they are also often used to perform jailbreak procedures that allow users to install non-app store content.

Apple also patched a pair of interesting vulnerabilities in FaceTime that were discovered and reported by Natalie Silvanovich of Google Project Zero. CVE-2018-4366 would allow an attacker to view memory contents, while CVE-2018-4367 would allow for a remote code execution attack simply by placing a FaceTime call.

MacOS users will receive bug fixes as one of three updates depending on their OS X version. Mojave 10.14.1, High Sierra security update 2018-001 and Sierra security update 2018-005 all include the same fixes for Apple's desktop OS.

Among those are CVE-2018-3646, a speculative execution attack that can disclose processor cache contents through the hypervisor, and CVE-2018-4398, a flaw in the CUPS system that would allow an attacker to guess the prime numbers used for encryption.

Apple also patched 13 different flaws in the MacOS kernel and 11 vulnerabilities in Ruby that would have allowed an attacker to remotely execute code. A separate update for Safari (12.0.1) includes fixes for the 10 WebKit vulnerabilities mentioned above as well as cross-site scripting flaw in Safari Reader.

Windows updates won't get off easy, either. Apple has kicked out patches for the Windows versions of iTunes (12.9.1) and iCloud for Windows (7.8) that include, among other things, fixes for the 10 remote code execution vulnerabilities in WebKit (which both apps use for their interface).

Elsewhere, the watchOS 5.1 patch* addresses a total of 21 CVE-listed flaws in the Apple wearable, while tvOS 12.1 cleans up 15 different bugs on Apple's set-top box. ®

*Apple pulled the watchOS 5.1 update on 31 October after it left Apple Watch 4 owners with bricked bling.

More about


Send us news

Other stories you might like