MacOS 'Catalina' 10.15 comes packed with exclusive security fixes – gee, thanks, Apple
New OS squashes bugs, older versions may have to wait
Apple has taken the opportunity of its official macOS Catalina release on Monday to close more than a dozen security holes in the desktop operating system.
The macOS 10.15 update, out today, includes fixes for a total of 16 CVE-listed security vulnerabilities in various components.
These particular patches, it should be noted, are, for now at least, only being offered in macOS 10.15. Those staying with Mojave, aka 10.14, will get a Safari update, though it does not contain any security content. In other words, if any of these 16 holes are present in pre-Catalina releases of macOS, users of those builds may have to wait a while for security updates to arrive for those versions.
This will thus put some Mac loyalists in the unenviable position of choosing to install the latest security fixes, and have an app or two break with macOS 10.15, or sit out the upgrade for now and miss out on patches. Remember that the first major public releases of Apple's OS software tend to be a little bumpy.
Among the more serious bugs killed off in Catalina are a pair of flaws (CVE-2019-8781, CVE-2019-8717) in the macOS kernel itself that would allow for arbitrary code execution. In each case, an application that can access the kernel already on the system would trigger a memory corruption error and exploit the flaw.
Arbitrary code execution errors (again requiring an application to already be running on the machine) were also spotted and patched in firmware for AMD (CVE-2019-8748) and Intel Graphics Driver (CVE-2019-8758) code.
Code execution can also be attained by opening up a poisoned text file, thanks to CVE-2019-8745, a buffer overflow error traced back to macOS' UIFoundation component.
Apple's WebKit engine will receive two patches. The first bug, CVE-2019-8769, would allow a malicious website to snoop user browsing history. The second, CVE-2019-8768, is an error in the "clear history and website data" command that results in incorrectly retaining information that was supposed to be wiped.
One of the more interesting bugs in the update was CVE-2019-8772. That flaw, disclosed earlier this month in a paper by uni boffins in Bochum and Münster, allows an attacker to exfiltrate some data out of encrypted PDFs.
Got a pre-A12 iPhone? Love jailbreaks? Happy Friday! 'Unpatchable tethered Boot ROM exploit' releasedREAD MORE
Another is CVE-2019-8755, a "logic issue" in the IOGraphics component that could allow a rogue application to snoop on kernel memory contents.
Among those are the CVE-2019-8745 text file flaw that allows code execution as well as two cross-site-scripting (CVE-2019-8625, CVE-2019-8719) and five arbitrary code execution flaws (CVE-2019-8707, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8763) in WebKit.
Admins might want to get the Apple updates tested and installed today, as the patch workload will be increasing substantially tomorrow when Microsoft, Adobe, and SAP all deliver their monthly security fixes. ®