macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina Fix Security Flaws
On the eve of Apple’s next big product announcement, the company has released macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina to fix a PDF-related security issue: “Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
macOS 11.6, iOS 14.8, and iPadOS 14.8 also fix a Web browsing vulnerability: “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
9to5Mac suggests that NSO Group exploited the PDF vulnerability in the Pegasus spyware used to target Bahraini activists; apparently, the vulnerability circumvents Apple’s BlastDoor protections (see “BlastDoor Hardens iMessage Against Malware Assaults,” 4 February 2021). We recommend installing these updates right away.
Here’s how to update on each platform:
- macOS: You can install macOS 11.6 (2.64 GB on an Intel-based 27-inch iMac) or Security Update 2021-005 Catalina from System Preferences > Software Update.
- iOS and iPadOS: You can install iOS 14.8 (402.6 MB on an iPhone 11) or iPadOS 14.8 from Settings > General > Software Update.
- watchOS: You can install the watchOS 7.6.2 update (70.1 MB on an Apple Watch Series 4) in the Watch app on your iPhone under My Watch > General > Software Update. Have your watch on its charger and charged to at least 50%.
And there’s a Safari 14.1.2 for Mojave. No sign of a security update for Mojave, but that might be still to come.
The Catalina update seemed to install fine for me (rebooting three times during the installation process).
The iOS update didn’t want to install over-the-air on my iPod Touch. The first time I tried, it said that download failed. The second time, it said “To download and install this software update, connect your iPod Touch to your computer”. So I had to install the update via USB. It seems to have installed fine, but it started nagging me about enabling Siri (I had previously turned it off) in order to “complete the installation”. So I turned it on and off again and it stopped complaining.
This update installed without incident on both my iPad 6th gen. and iPhone 12 Mini. Currently installing in an Apple Watch 4. So far, so good!
Thank you Josh!
I have posted this to my FB wall for all of my clients.
iPhone says it needs a Wi-Fi connection. Except I’m traveling and the current Wi-Fi is one of those flaky insecure ones that you put the password in with a browser.
I understand completely. System updates are big - you generally don’t want to blow through your mobile data allowance for this.
Yes, I’m aware that you may have an unlimited plan, but even then there are often caps and you don’t want to end up rate-limited for the rest of the month if you go over.
As for using hotel wi-fi, a flaky connection can make the experience frustrating. I wouldn’t worry about security, since Apple uses HTTPS and signs their firmware installers.
If you need to wait a few days until you get home, I personally wouldn’t see a problem with it. If you’re concerned, just make sure to not open any downloaded PDFs on your phone until you get home. In my case, I don’t open very many, and they are almost always my own files that I’m downloading from my own Google Drive.
I just looked on my Update preferences, and yes, it says that 14.1.2 is available. I remember installing that a while ago with the last Security Update (2021-005), and when I look at “About Safari” it says: Version 14.1.2, and Finder Info for the Safari app also says Version 14.1.2.
See screen cap.
So should I click on “Install Now” and reinstall it?
I installed it and things seem fine, and About Safari says 14.1.2 (14618.104.22.168.7), so a (very!) slight bump in build number. So if you install it, it will be an update, not a reinstall.
Upgraded my devices (MBP16, iPhone 12 ProMax, iPad 12.9 2020, Watch 6 44mm SS) to said OS versions. Everything works fine.
I have 14.1.2 (14622.214.171.124.6) on my i9 MBP16.
FWIW, Catalina (2018 Mac mini), reports version 14.1.2 (156126.96.36.199.7, 15611).
Clearly, the first two digits of the build number are the corresponding macOS version number. The rest is the same as what @blm reported.
It turns out that the CoreGraphics vulnerability fixed in these updates is being used by NSO Group’s Pegasus spyware to enable a zero-click exploit. In other words, a Pegasus customer (a government, theoretically) can take over an iPhone merely by sending it an image.
In other words, update your Apple devices right away.
That’s not to say that anyone reading this is likely at risk. As Apple’s head of security engineering told the New York Times:
So unless you are personally of interest to a hostile government, there probably isn’t much to worry about.
My concern would be that now that the vulnerability has been fixed, it could be resold to lower-level criminals who would be happy to use it in a less targeted fashion against those who haven’t updated.
Well… My only guess is that they have somewhat different releases for specific mac models depending on specific hardware configs. It’s the last and most insignificant number, but mine still shows a .6 where yours shows .7.
At least according to the NBC & CBS national news on Monday night. I wonder if Apple will cover this tomorrow during the iPhone event.
According to what I just looked up, this is the same Pegasus exploit that has been used by nation states against various people for quite some time.
The big news is that someone appears to have delivered a copy to Apple, so now it will be possible for them to fix it (assuming it wasn’t the fix that just shipped today).
So it sounds like good news to me.
That’s what today’s system and security updates are about.
OK, well I can’t use any of those so it is moot for me. Fortunately I very seldom use iMessage - probably have used it less than a couple of dozen times in the last 10 years.
I’ve tried for a couple of days now to get the 11.6 to install in my iMac. I’ve restarted, closed all apps with just the software update. It gets to 10 minutes left and then doesn’t continue. Left it on overnight, and no update. Hoping the members here can provide a guide as it is a security update.
Is that completely true, or does the iPhone user need to display the image?
asking for a friend (and please don’t laugh), does this mean that anyone with an older operating system than Catalina is vulnerable to the Pegasus virus?
This is my question as well.
There are two possibilities:
The older operating systems are not vulnerable. Apple would have released a version for Mojave at least, since it’s still doing security updates that far back. And the company has released updates to iOS 12 for the same reason.
The updates for older operating systems may still be coming. It seems that Apple just learned about this zero-day, zero-click exploit and has been working around the clock to fix it. The current operating systems are by far the most important, so it’s possible we’ll see security updates for at least Mojave and iOS 12 in the next few days.
Never mind, I got macOS 11.6 installed this morning. I should have guessed that everyone, their mothers, and other sentient beings were all trying to download at once.
It’s a complete guess, but I would think that Apple would say the older operating systems are not vulnerable if that were the case.
Still a complete guess, but this seems more likely to me.
Yes, it appears that there are slightly different build numbers depending on what machine and OS you’re on. But I guess the real point is to trust Apple for this sort of update. Even though it looks like you’re updating 14.1.2 to 14.1.2, if software update says there’s a difference, assume there’s a difference.
That’s my guess as well, based on past security updates, where the Mojave (and earlier in cases there were ones for versions earlier than Mojave) update showed up a few days after the Catalina/Big Sur updates. It is a guess, but it would match what Apple has done in the past.
I’ll go ahead and update, and I guess see if more appears in the next few days. Thanks!
Updated devises. My iPhone 12 always defaults
“Do not disturb” no matter what I do.
My series 6 watch now displays a watch face that I have never set. When I set the watch face I have when the watch goes to sleep it again changes back to new default.
Any one have a suggestion to correct?
With most Security Updates there are examples of older OS versions being left out and I don’t remember a single instance of Apple telling us whether it was because they were not vulnerable or just being ignored. In a few instances, an independent person will post that they have determined that an older OS is or is not vulnerable, but never Apple.
Agreed. I’m sure Apple doesn’t do this for security reasons. If they are ignoring the problem, they don’t want to alert the bad guys to that fact. And Apple never says anything about obsolete operating systems other than in support documents that become necessary for some reason.
Thanks for the correction. I’ll expect no comment.
My practice for many years is to pin several apps to specific desktops on my Macs. In particular, I pin Apple Mail to Desktop 1 and Safari and Twitterific to Desktop 2. I leave Desktop 3 as a bland slate and pin Music to Desktop 4. I also keep a few blank desktops after Desktop 4.
MacOS 11.6 moved Apple Mail to Desktop 3 on my MacBook but left it in place on my iMac. Of course, it was easy to fix in Mission Control, but somewhat mystifying.
I found this article to be interesting. It explains why it took so long for Apple to fix the Pegasus back by NSO.
Apple don’t have direct access to iMessages. They are truly encrypted from end to end. Thus, unless NSO attacked Tim Cook’s iPhone, they didn’t know the way the hack worked.
This timeline provides how quickly Apple turned this around.
The article is here.
My elderly neighbor had to take her elderly iPhone into the local Apple store and have them assist her with the update. It took two hours. She says she was told there will be another iPhone update in a week or two and she will have to bring her phone in again when that pops up and fails.
Her issue is probably that her home computer is an elderly Windows box and her iPhone was too full and needed more gigabytes of free memory. But it’s a bit hard to figure out, they did not give her any written instructions she can follow at home, though she asked.
And this appears to have been the correct choice:
Not completely true. The iOS 12 update did address older hardware, but the only macOS update was Security Update 2021-006 Catalina which addressed a different vulnerability apparently unrelated to Pegasus. There still has been no update for macOS Mojave and earlier.
And I’m curious about what will happen with Mojave, since Apple is still supporting it with security updates until Monterey ships.
Lots of us are watching to see if Mojave is still receiving Security Updates, but it’s not really clear that Apple has an obligation to provide them until Monterey release. Howard Oakley has already counted them out in his recent blog How long does Apple support macOS? which shows Mojave as having the shortest Security Update period in recent times.
I wouldn’t call Apple providing updates to older systems an “obligation”, but rather a convenience to users of those systems to safely continue using them. Obviously not something in their best business interests, so my expectations are low.
Join the discussion in the TidBITS Discourse forum