It's December 2018, and a rogue application can still tell your Apple Mac: I'm your El Capitan now
iOS, macOS, tvOS, Safari, and anyone for some reason using iTunes on Windows – get patching
Apple has released a fresh set of security updates for its Mac and iOS software.
The December patches also address flaws in tvOS, Safari, and the Windows versions of iTunes and iCloud. They should all be installed as soon as possible, via the usual Software Update mechanism.
Baker's dozen fixes for Mac owners, plus nine in Safari
For Macs, the updates will be delivered as Mojave 10.14.2, High Sierra security update 2018-003, or Sierra security update 2-18-006, depending on the version of macOS installed.
Each address a total of 13 CVE-listed flaws, including seven that would allow a dodgy application, rogue user, or malware on your system to escalate their privileges and gain control over the Mac. Those holes include two flaws in WindowServer (CVE-2018-4449, CVE-2018-4450), three in Kernel (CVE-2018-4444, CVE-2018-4461, CVE-2018-4435), one in Carbon Core (CVE-2018-4463), one in Disk Images (CVE-2018-4465), and one in IOHIDFamily (CVE-2018-4427).
The update also patches kernel memory disclosure by the Intel Graphics Driver (CVE-2018-4434), and Kernel (CVE-2018-4431), as well as another privilege elevation bug, this time in Airport (CVE-2018-4303), a memory disclosure flaw in the AMD driver (CVE-2018-4462), and a denial-of-service bug in Kernel (CVE-2018-4460).
Mac users will also want to get the Safari 12.0.2 patch to shore up nine vulnerabilities in the browser and its WebKit engine. All six of the WebKit bugs (CVE-2018-4437, CVE-2018-4464, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438) can allow arbitrary remote code execution via a malicious web page, while the Safari flaws allow interface (CVE-2018-4439) or address bar (CVE-2018-4440) spoofing and sites not clearing from web history (CVE-2018-4445).
FaceTime, File Provider leaks plugged in iOS, tvOS tuned up
For iPhone and iPad owners, the December fixes will arrive as the iOS 12.1.1 release. The bundle includes all of the above mentioned Safari and WebKit patches, as well as the Airport, Disk Images, and Kernel fixes.
Flaws unique to iOS are a FaceTime bug (CVE-2018-4430) that leaks contact details, a File Provider bug (CVE-2018-4446) that can show application details, an interface spoofing flaw (CVE-2018-4429) in LinkPresentation, and a Profiles bug (CVE-2018-4436) that shows untrusted configuration profiles as being verified.
For AppleTV, the tvOS 12.1.1 release is being served up. It includes the Airport, Disk Images, Kernel, Profiles, and WebKit bug fixes. Basically, all of the bugs in components tvOS borrows from macOS and iOS.
Windows users, think of this as a warm up for next week
Those running Apple software on their Windows PCs will want to get the iTunes 12.9.2 and iCloud for Windows 7.9 updates. Because those apps rely on components of WebKit and Safari, the patches for Apple's browser will need to be installed on the Windows apps as well. ®
Sponsored: Becoming a Pragmatic Security Leader