MacOS 'Catalina' 10.15 comes packed with exclusive security fixes - gee, thanks, Apple

Apple has taken the opportunity of its official macOS Catalina release on Monday to close more than a dozen security holes in the desktop operating system.

The macOS 10.15 update, out today, includes fixes for a total of 16 CVE-listed security vulnerabilities in various components.

These particular patches, it should be noted, are, for now at least, only being offered in macOS 10.15. Those staying with Mojave, aka 10.14, will get a Safari update, though it does not contain any security content. In other words, if any of these 16 holes are present in pre-Catalina releases of macOS, users of those builds may have to wait a while for security updates to arrive for those versions.

This will thus put some Mac loyalists in the unenviable position of choosing to install the latest security fixes, and have an app or two break with macOS 10.15, or sit out the upgrade for now and miss out on patches. Remember that the first public release of Apple's OS tends to be a little bumpy.

Bugs zapped

Among the more serious bugs killed off in Catalina are a pair of flaws (CVE-2019-8781, CVE-2019-8717) in the macOS kernel itself that would allow for arbitrary code execution. In each case, an application that can access the kernel already on the system would trigger a memory corruption error and exploit the flaw.

Arbitrary code execution errors (again requiring an application to already be running on the machine) were also spotted and patched in firmware for AMD (CVE-2019-8748) and Intel Graphics Driver (CVE-2019-8758) code.

Code execution can also be attained by opening up a poisoned text file, thanks to CVE-2019-8745, a buffer overflow error traced back to macOS' UIFoundation component.

Apple's WebKit engine will receive two patches. The first bug, CVE-2019-8769, would allow a malicious website to snoop user browsing history. The second, CVE-2019-8768, is an error in the "clear history and website data" command that results in incorrectly retaining information that was supposed to be wiped.

One of the more interesting bugs in the update was CVE-2019-8772. That flaw, disclosed earlier this month in a paper by uni boffins in Bochum and Münster, allows an attacker to exfiltrate some data out of encrypted PDFs.

Another is CVE-2019-8755, a "logic issue" in the IOGraphics component that could allow a rogue application to snoop on kernel memory contents.

Mac owners are not the only ones who will want to look out for an Apple update. The Windows port of the iCloud software (10.7 for Windows 10 and 7.14 for Windows 7) also received updates.

Among those are the CVE-2019-8745 text file flaw that allows code execution as well as two cross-site-scripting (CVE-2019-8625, CVE-2019-8719) and five arbitrary code execution flaws (CVE-2019-8707, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8763) in WebKit.

Admins might want to get the Apple updates tested and installed today, as the patch workload will be increasingly substantially tomorrow when Microsoft, Adobe, and SAP all deliver their monthly security fixes. ®

Software News

Oct 15
Choo choo mothertruckers
Oct 14
You want this web tech to be independent? Sure, we'll just put it in an org we bankroll
Oct 14
RoundupApple flogs Microsoft hardware and Puppet's CTO has a... notepad.exe tattoo?
Oct 14
And a release date - sort of
Oct 14
AnalysisWhy Teams is a key product despite its frustrations - and yes, a Linux client is on the way
Oct 14
Who, Me?When 95 + (5 * RAND()) is all your spreadsheet needs
Oct 12
Perl 6 set to be reincarnated as Raku, as favored by Larry Wall