Stuck inside with nothing to do? Apple fires out security fixes for iOS, macOS, wrist-puters... and something weird called iTunes for Windows

Dozens of bugs swatted in latest Cupertino updates


Apple has emitted a bundle of security fixes ranging across its product lines.

The seven updates address dozens of CVE-listed flaws in the firmware and software components of Cupertino's portables and desktops. Since you're stuck inside by the coronavirus pandemic, now's a great time to get patching.

For the flagship iOS, the 13.4 update includes fixes for 30 security holes.

Among the most serious are the bugs in WebKit, the browser engine at the heart of iOS. They include remote code execution (CVE-2020-3897, CVE-2020-9783, CVE-2020-3901, CVE-2020-3895, CVE-2020-3900, CVE-2020-3899), information disclosure (CVE-2020-3894), and cross-site scripting (CVE-2020-3902) blunders.

The iOS kernel also has a potentially serious arbitrary code execution bug (CVE-2020-9785) and an information disclosure flaw (CVE-2020-3914). Both require an attacker to already be running code on a device.

Locally-exploitable arbitrary code execution flaws in Image Processing (CVE-2020-9768), IOHIDFamily (CVE-2020-3919) were also patched. As was a lock screen bypass flaw in Messages (CVE-2020-3891) and two info disclosure flaws in Safari (CVE-2020-9775, CVE-2020-9781) along with a traffic intercept bug in BlueTooth (CVE-2020-9770).

The macOS update (Catalina 10.15.4, security update 2020-002 for Mojave and High Sierra) has fixes for 26 CVE bugs. Among the more interesting are a sudo bug (CVE-2019-19232) that allows commands to be run "as a non-existent user" and a restricted memory access flaw in the Intel Graphics Driver (CVE-2019-14615) as well as what was only described as "multiple issues" in Vim (CVE-2020-9769).

Mac users will also get fixes for the above-mentioned kernel and IOHIDFamily flaws, a sign of just how close iOS and macOS have become. All of the iOS WebKit flaws are also present in the desktop Safari 13.1 update, which is no surprise as the engine powers both the desktop and mobile browsers.

Owners of other Apple gear will also want to check for updates as Apple has posted fixes for watchOS (17 CVE-listed bugs), tvOS (20 CVE entries), and iTunes for Windows (remember that baffling thing? It has 12 bugs fixed.)

Users can get the fixes via the Software Update option. ®


Other stories you might like

  • We sat through Apple's product launch disguised as a dev event so you don't have to
    M2 chip teased plus MacBooks, iOS 16, macOS 13, watchOS 9 and more

    WWDC Apple opened its 33rd annual Worldwide Developer Conference on Monday with a preview of upcoming hardware and planned changes in its mobile, desktop, and wrist accessory operating systems.

    The confab consists primarily of streamed video, as it did in 2020 and 2021, though there is a limited in-person component for the favored few. Apart from the preview of Apple's homegrown Arm-compatible M2 chip – coming next month in a redesigned MacBook Air and 13" MacBook Pro – there was not much meaningful innovation. The M2 Air has a full-size touch ID button, apparently.

    Apple's software-oriented enhancements consist mainly of worthy but not particularly thrilling interface and workflow improvements, alongside a handful of useful APIs and personalization capabilities. Company video performers made no mention of Apple's anticipated AR/VR headset.

    Continue reading
  • Telegram criticizes Apple for 'intentionally crippling' web app features on iOS
    Native code or nothing thanks to Safari's approach to web apps

    A week after confirming plans for Telegram Premium, the messaging platform's CEO, Pavel Durov, is again criticizing Apple's approach to its Safari browser for stifling the efforts of web developers.

    Durov would very much like his web-based messaging platform, Telegram Web, to be delivered as a web app rather than native, but is prevented from offering users a full-fat experience on Apple's mobile devices due to limitations in the iOS Safari browser.

    There's no option for web developers on Apple's iPhone and iPad to use anything but Safari, and features taken for granted on other platforms have yet to make it to iOS.

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading

Biting the hand that feeds IT © 1998–2022