Apple releases macOS 10.14.1, iOS 12.1, tvOS 12.1 and watchOS 5.1

30. October 2018 Security 0

Apple today released updates for all of it’s current operating systems, as well as security updates for High Sierra and Sierra and Safari. Additional security fix details were also released for previous updates. The most anticipated new feature of macOS and iOS of course being Group FaceTime which allows up to 32 participants. Of course I wouldn’t be writing about these updates if there weren’t some security fixes and enhancements as part of it so let’s dive in!

iOS 12.1

Listed as an update that introduces Group FaceTime, adds new emoji and Dual SIM support (AT&T and T-Mobile not on board yet though), this update also includes bug fixes and improvements. Two of the biggest bug fixes that were addressed are “beautygate” and cellular connectivity. The front facing camera on the latest iPhones used a very annoying smoothing feature by default that could not be disabled. This seems to have been corrected. Cellular connectivity has also greatly improved, at least for AT&T and T-Mobile users I have spoken to. Note that Group FaceTime video is not available for the following devices:
• iPhone 5s
• iPhone 6
• iPhone 6 Plus
These devices only support audio Group FaceTime calls.

Under the hood are also numerous security fixes and enhancements. Here are some of them:

AppleAVD
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing malicious video via FaceTime may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.

Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted vcf file may lead to a denial of service
Description: An out-of-bounds read was addressed with improved bounds checking.

FaceTime
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A remote attacker may be able to leak memory
Description: A memory corruption issue was addressed with improved input validation.

Impact: A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.

Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: An inconsistent user interface issue was addressed with improved state management.

With a total of 32 security related issues addressed, iOS 12.1 is an update that should be installed sooner rather than later. As always, backup your iOS device prior to updating just in case something does not go as planned.

Apple has also released details on previously undisclosed security fixes that were a part of the initial iOS 12 release. 22 CVE’s were added to the “About the security content of iOS 12” document that can be found here.

The full list of security fixes can be found here. iOS users can update by going to Settings > General > Software Update on their devices or by connecting the device to their computer where iTunes can download and install the update.

tvOS 12.1

An update for the fourth and fifth generation Apple TV’s with seemingly no new features. There are however 15 reasons to update. Here are some of the security issues that this update addressed:

IPSec
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds read was addressed with improved input validation.

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed by removing the vulnerable code.

Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with improved memory handling.

Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.

NetworkExtension
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: Connecting to a VPN server may leak DNS queries to a DNS proxy
Description: A logic issue was addressed with improved state management.

WiFi
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An attacker in a privileged position may be able to perform a denial of service attack
Description: A denial of service issue was addressed with improved validation.

The full list of updates can be found here. Apple has also released details on previously undisclosed security fixes that were a part of the initial tvOS 12 release. 15 CVE’s were added to the “About the security content of tvOS 12” document that can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 5.1

With new watch faces and updated emoji, this update brings a few new features to all Apple Watch Series 1 and later. Some of the improvements and bug fixes are:

– Apple Watch Series 4 automatically contacts emergency services if you are immobile for about a minute after detecting a hard fall. The watch will also now play a message that informs the responder that the Apple Watch has detected a fall and shares your location coordinates when possible.
– Fixes an issue that could cause an incomplete installation of the Walkie-Talkie app for some users.
– Resolves an issue that prevented some users from being able to send or receive invitations on Walkie-Talkie
– Addresses an issue where some previously warned Activity awards were not showing in the Awards tab of the Activity app for some users.

A total of 21 security related issues were addressed as well. Most of them the same as those covered in iOS 12.1 and tvOS 12.1. For the full list you can take a look here. 15 previously undisclosed security fixes were also added to the “About the security content of watchOS 5” document that can be found here. watchOS 5.1 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 12.0.1

Included in the 10.14.1 update for Mojave users, this update is available for download separately for High Sierra and Sierra users. Offering 12 fixes for security related issues it is a minor update but one that should be installed as soon as possible. WebKit got a lot of attention, as always, and Apple makes no mention of any new features.
The list of security fixes that were addressed can be found here. To install this update, visit the Updates tab of the App Store app on macOS High Sierra or Sierra or simply install Mojave 10.14.1 to have it included. Which brings us to the main event..

macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra

For Mojave users the 10.14.1 update brings support for Group FaceTime video and audio calls. Though at this time it is unknown what the hardware limitations are, it is thought that any Mac that can run Mojave, can use Group FaceTime. Also new are over 70 new emoji characters featuring different hair colors, hair styles and more options for bald people (yay!). While High Sierra and Sierra users will not enjoy these new features, they will enjoy improved security from their respective updates.

With a long list of 71 issues that were addressed, I won’t bore you with too many details here. A few of the notable ones are:

afpserver
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A remote attacker may be able to attack AFP servers through HTTP clients
Description: An input validation issue was addressed with improved input validation.

CUPS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content

Impact: An attacker in a privileged position may be able to perform a denial of service attack
Description: A denial of service issue was addressed with improved validation.

Dock
Available for: macOS Mojave 10.14
Impact: A malicious application may be able to access restricted files
Description: This issue was addressed by removing additional entitlements.

Mail
Available for: macOS Mojave 10.14
Impact: Processing a maliciously crafted mail message may lead to UI spoofing
Description: An inconsistent user interface issue was addressed with improved state management.

Also included with the 10.14.1 update and security update for High Sierra are EFI firmware updates (you may need to download the full OS installer or Combo Update to get this new firmware though)

EFI

Available for: macOS High Sierra 10.13.6
Impact: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis
Description: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel.

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: A local user may be able to modify protected parts of the file system
Description: A configuration issue was addressed with additional restrictions.

Note that macOS Sierra is not receiving new firmware. Sierra gets some love in the form of Hypervisor and Microcode patches though.

Hypervisor
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis
Description: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry.

Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.

Microcode
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis
Description: An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel.

The Kernel, Intel Graphics Driver, IOKit and many more system components had some security related work done so any user running macOS 10.14 Mojave, 10.13.6 High Sierra or 10.12.6 Sierra should install these updates as soon as they can.

Apple has also added previously undisclosed details of security fixes to the following documents:
About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan” And over 47 new entries in the “About the security content of macOS Mojave 10.14” document.
The full list of security related fixes for today’s update can be found here.

macOS Sierra and High Sierra users can find the security update in the App Store app under the Updates tab. Mojave users should visit the System Preferences > Software Update pane instead though. On Mojave the App Store will no longer list OS updates.

iOS or macOS, always backup your data prior to installing any updates. This gives you a restore point in case something does not go as planned.


Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.