You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, too

Patch Thursday is for you, Patch Tuesday is for everyone else


Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can.

For Safari, there are nine CVE-listed patches in version 13.1.1. Six address malicious code execution (CVE-2020-9802, CVE-2020-9800, CVE-2020-9806, CVE-2020-9807, CVE-2020-9850, CVE-2020-9803) that can be achieved by opening a booby-trapped webpage or similar.

These were found separately by Samuel Groß of Google Project Zero; Brendan Draper working with Trend Micro's ZDI; Wen Xu of SSLab at Georgia Tech in the US; and a trio working together at SSLab. The vulnerabilities are present in the Webkit component of Safari.

The SSLab trio also found CVE-2020-9801 in Safari that can be exploited by malware already running on a Mac to force the browser to open another application. An anonymous researcher found CVE-2020-9805, and Ryan Pickren found CVE-2020-9843, both cross-site scripting holes in the software. Natalie Silvanovich of Google Project Zero found CVE-2019-20503, an information leak in the WebRTC component of Safari.

MacOS Catalina, aka version 10.15.5, meanwhile, features 46 security patches, also available to macOS Mojave (10.14) and High Sierra (10.13) users. Here are the highlights:

  • CVE-2020-9815 and CVE-2020-9791 found by Yu Zhou via Trend's ZDI: A specially crafted audio file can trigger malicious code execution when processed by the operating system, due to an out-of-bounds read bug, apparently.
  • CVE-2020-9816 found by Peter Nguyen Vu Hoang of STAR Labs via ZDI: Opening a booby-trapped PDF can trigger a crash or execution of malicious code, due to a out-of-bounds write bug in the operating system's font parser.
  • CVE-2020-3878 found by Samuel Groß of Google Project Zero: A maliciously crafted image can lead to code execution via the ImageIO component of the OS. Wenchao Li of VARAS@IIE and Xingwei Lin of Ant-financial Light-Year Security Lab found similar bugs (CVE-2020-9789 and CVE-2020-9790).
  • CVE-2020-9793, a rather mysterious remote code execution hole involving Python and an exploitable memory-corrupting bug.
  • CVE-2020-9828 found by Jianjun Dai of Qihoo 360 Alpha Lab: A hacker can exploit this to "leak sensitive user information" via a machine's Bluetooth interface.
  • CVE-2020-9837 found by Thijs Alkemade of Computest: IPsec connections can be attacked to leak user memory.
  • Plus a shed-load of privilege-escalation bugs, exploitable by users and software already on a Mac, and things like over-the-air Wi-Fi crashes (CVE-2020-9844, Ian Beer of Google Project Zero).
Fingers crossed

Apple promises third, no, fourth, er, fifth time's a charm when it comes to macOS Catalina: 10.15.5 now out

READ MORE

iOS users should have picked up security patches from earlier this month – which won't close down the arbitrary code execution hole used by a jailbreak that's doing the rounds.

Those wanting to join the ranks of Apple loyalists from Windows will want to keep an eye on this security issue: CVE-2020-9858. It's a DLL-loading vulnerability that shows up when migrating from Windows to Mac.

Finally, there's a bunch of bugs patched in iCloud for Windows, in both the 11.2 version (Windows 10) and the 7.19 build (Windows 7 and later, hey there, you gamers) editions. They include flaws in WebKit as well as three code-execution bugs in ImageIO and a crash flaw in SQLite.

It's good advice to stay up-to-date on all of your software, even rarely targeted Apple gear. Security Update should keep good track of these fixes for you. ®


Biting the hand that feeds IT © 1998–2020