Apple has taken the opportunity of its official macOS Catalina release on Monday to close more than a dozen security holes in the desktop operating system.
The macOS 10.15 update, out today, includes fixes for a total of 16 CVE-listed security vulnerabilities in various components.
These particular patches, it should be noted, are, for now at least, only being offered in macOS 10.15. Those staying with Mojave, aka 10.14, will get a Safari update, though it does not contain any security content. In other words, if any of these 16 holes are present in pre-Catalina releases of macOS, users of those builds may have to wait a while for security updates to arrive for those versions.
This will thus put some Mac loyalists in the unenviable position of choosing to install the latest security fixes, and have an app or two break with macOS 10.15, or sit out the upgrade for now and miss out on patches. Remember that the first public release of Apple's OS tends to be a little bumpy.
Among the more serious bugs killed off in Catalina are a pair of flaws (CVE-2019-8781, CVE-2019-8717) in the macOS kernel itself that would allow for arbitrary code execution. In each case, an application that can access the kernel already on the system would trigger a memory corruption error and exploit the flaw.
Arbitrary code execution errors (again requiring an application to already be running on the machine) were also spotted and patched in firmware for AMD (CVE-2019-8748) and Intel Graphics Driver (CVE-2019-8758) code.
Code execution can also be attained by opening up a poisoned text file, thanks to CVE-2019-8745, a buffer overflow error traced back to macOS' UIFoundation component.
Apple's WebKit engine will receive two patches. The first bug, CVE-2019-8769, would allow a malicious website to snoop user browsing history. The second, CVE-2019-8768, is an error in the "clear history and website data" command that results in incorrectly retaining information that was supposed to be wiped.
One of the more interesting bugs in the update was CVE-2019-8772. That flaw, disclosed earlier this month in a paper by uni boffins in Bochum and Münster, allows an attacker to exfiltrate some data out of encrypted PDFs.
Another is CVE-2019-8755, a "logic issue" in the IOGraphics component that could allow a rogue application to snoop on kernel memory contents.
Mac owners are not the only ones who will want to look out for an Apple update. The Windows port of the iCloud software (10.7 for Windows 10 and 7.14 for Windows 7) also received updates.
Among those are the CVE-2019-8745 text file flaw that allows code execution as well as two cross-site-scripting (CVE-2019-8625, CVE-2019-8719) and five arbitrary code execution flaws (CVE-2019-8707, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8763) in WebKit.
Admins might want to get the Apple updates tested and installed today, as the patch workload will be increasingly substantially tomorrow when Microsoft, Adobe, and SAP all deliver their monthly security fixes. ®
Fluent, fluent everywhere but not a patch that works
I'll take a Big Mac, large fries and... um, are you OK?
Unfortunate timing - the Obama admin also supported the database giant
And that's one hell of a privacy agreement
Linux Foundation hears your gripes about naming schemes, legacy code, and more
It's not a bug, it's a feature, explains the Chocolate Factory
PARC, Apple and Amazon - computing pioneer dies at 74