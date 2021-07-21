Apple Releases iPadOS 14.7 and macOS 11.5 with Security Notes for Recent OS Updates
Apple usually updates all of its operating systems at once. So it was unusual when the company released iOS 14.7, watchOS 7.6, HomePod Software 14.7, and tvOS 14.7 without iPadOS 14.7 and macOS 11.5 Big Sur. And since Apple doesn’t release security notes until all affected operating systems are updated, those updates were a mystery. Apple has now pushed out iPadOS 14.7 and macOS 11.5, along with security notes for all of this week’s releases.
iPadOS 14.7
There is only one thing to say about iPadOS 14.7 that we didn’t already cover in “iOS 14.7 Adds Support for the MagSafe Battery Pack” (19 July 2021): Apple fixed an audio-skipping bug when using USB-C to 3.5mm headphone adapters. We’ll cover security notes for all releases below.
You can install the iPadOS 14.7 update, which clocks in at 847.6 MB on a third-generation iPad Air in Settings > General > Software Update.
macOS 11.5
The macOS 11.5 update, like the iOS and iPadOS updates, updates the Podcasts app so you can view either all shows or only those you follow in the Library tab. It also fixes bugs that prevented Music from updating the play count and last played date in your library and prevented smart card authentication from working on M1-based Macs.
Howard Oakley has some other details about macOS 11.5, such as new versions of core apps and included firmware updates.
You can install the 2.93 GB (reportedly 3.8 GB on M1-based Macs) update in System Preferences > Software Update.
Security Notes for Current OS Versions
These security fixes in this week’s updates address some serious security vulnerabilities, so you should install them sooner rather than later. In particular, the iOS and iPadOS updates include this note for Wi-Fi: “Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution.” We presume that’s a fix for the Wi-Fi bug that could cause maliciously named access points to disable Wi-Fi on an iPhone or iPad (see “Obscure Bug Could Disable the %p%s%s%s%s%n Wi-Fi on Your iPhone or iPad,” 7 July 2021).
We knew the vulnerability could cause Wi-Fi to stop working, but from Apple’s notes, it seems like a potential vector for malware as well.
Here are the security notes and number of vulnerabilities fixed in each version:
- iOS 14.7 and iPadOS 14.7 have 31 security fixes.
- macOS 11.5 has 35 security fixes.
- watchOS 7.6 has 21 security fixes.
- tvOS 14.7 has 20 security fixes.
Does anyone know if this closes the “Pegasus” vulnerabilities in iMessage?
There is no mention of it in Security Notes and it would be shocking to see that Apple could react to a 0-day in such record time.
Doubtful. But I just read a Forbes article that millions of mac users are in need to check for malicious files in the LaunchAgent directory.
I would need a lot more information before deleting “suspicious” files manually. The article advises to use up-to-date virus/malware checking software.
I use ClamX but am not sure if it currently covers this issue.
I wonder if the latest Catalina/Mojave updates are relevant?
" LaunchServices
Available for: macOS Mojave
Impact: A malicious application may be able to break out of its sandbox…"
It’s a 1.7gB download for Mojave.
TL;DR: It’s a good idea to review your system’s Launch Agents, but look closely at them before deleting anything because they may be perfectly innocent, even if there’s a big scary file name.
For instance, I’ve got one called
com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist.
At first glance, that looks really suspicious, since it’s got a huge string of hex digits as a part of the name. But if you open it up and read the contents you find:
Note the contents of the
ProgramArgumentskey. This identifies the app that will be launched. In this case, it’s the “Adobe Reader Updater Helper.app” that is contained within the Adobe Reader app.
The “RunAtLoad” key is set to
true, meaning it will run this when I log in.
The “StartInterval” is set to 12600 seconds (3.5 hours), which means it will re-run itself about once every 3.5 hours. Which is reasonable for a major app to check for updates.
The important thing is that, despite the scary looking file name, this specific Launch Agent is perfectly innocent. (Assuming you actually installed Adobe Reader, of course).
Note also that the mere presence of a Launch Agent doesn’t necessarily mean anything will actually run. The system launcher will still depend on the file’s contents to determine that.
For example, iMazing has one for launching it’s iMazing Mini menu-bar app when you log in. I have disabled the feature (via its preferences), but the Launch Agent file (
com.DigiDNA.iMazing2Mac.Mini.plist) still exists. But note the contents:
Specifically, note the “RunAtLoad” key whose value is set to
false. In other words, the system won’t be launching anything in this file.
In other words, yes, go review the Launch Agents in your system and if something looks like malware, then delete it. But look closely at the contents to make sure it isn’t something innocent.
Although there are over 17,000 signatures for XLoader files in ClamXAV, I can only verify that they do not appear to look for that specific file name, but might be able to identify it by other means. I don’t have a sample yet of that specific component of the infection so can’t fully check for it, but I will return once I’ve been able to get a more definitive answer. I also checked DetectX Swift and Malwarebytes, neither of which are looking for it presently.
Security Updates never look for malware, they only patch vulnerabilities. XProtect and MRT updates cover malware.
XLoader and it’s predecessor trace it’s roots back to 2003 and is mostly been sold to adware agents. The two big deals about this new variant are that the same code can be used against both Windows and Macs (since around December of last yea) & that it is now distributed embedded in a Word document which can be sent as a message attachment. I don’t know that any purchaser has actually used it to steal information off a Mac as that isn’t usually a big moneymaker.
One other thing I should have mentioned. Java is need in order to install this version of XLoader and most users will not have it since it hasn’t been included in macOS since Snow Leopard and very few 3rd party apps still require it. If you don’t have a Java prefs pane in System Preferences and are not still running SL then look no further for this one. Another check would be this Terminal Command:
java -version.
