Skip to content
Thoughtful, detailed coverage of everything Apple for 31 years
and the TidBITS Content Network for Apple professionals
10 comments

iOS 12.5.5 and Security Update 2021-006 Catalina Block Exploited Vulnerabilities

Apple has released iOS 12.5.5 and Security Update 2021-006 for macOS 10.15 Catalina to address some particularly concerning security holes.

iOS 12.5.5 fixes three vulnerabilities. The first is the PDF vulnerability that enabled the Pegasus spyware used against activists. Apple fixed that in its more-current operating systems earlier this month (see “macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina Fix Security Flaws,” 13 September 2021).

As for the other two vulnerabilities, one is a WebKit flaw that could lead to arbitrary code execution, and the other is a bug in the Darwin XNU kernel that allows an attacker to execute code with kernel privileges. Security Update 2021-006 Catalina fixes only the kernel bug. Apple notes that all three vulnerabilities have been exploited in the wild.

If you’re still running either of these older operating systems, you should update immediately. You can install iOS 12.5.5 in Settings > General > Software Update and Security Update 2021-006 Catalina in System Preferences > Software Update.

Interestingly, Apple words its awareness of the exploits in two different ways. For the PDF and WebKit vulnerabilities, the company says, “Apple is aware of a report that this issue may have been actively exploited.” For the XNU vulnerability, it says, “Apple is aware of reports that an exploit for this issue exists in the wild.” The difference could be random, relate purely to the number of reports, or mean something specific.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About iOS 12.5.5 and Security Update 2021-006 Catalina Block Exploited Vulnerabilities

Notable Replies

  1. I’m pretty certain that it was this: “Apple is aware of reports that an exploit for this issue exists in the wild.” but I can’t explain why it was necessary to patch the very same CVE again in the newer systems. Several possibilities:

    • The fix wasn’t carried over to a subsequent release and had to be re-introduced
    • Hackers found a workaround in the original patch requiring a better patch
    • Apple forgot that they already fixed it and erroneously listed it in those documents

    Doubt we’ll ever know.

  2. Security updates for (Mojave?) Safari and iPadOS 14.8 have been released.

  3. There’s dropping critical security support for older releases, and then there’s not telling anyone about it:

    I’ve no need to run Mojave myself, and my only Mac (besides my 12 inch PowerBook!) is an M1 Air so this does not affect me. But ultimately all Macs enter the twilight where it becomes unclear how safe they are to use online (and therefore much at all). Clarity would be better than silence.

  4. To be fair, there are iOS devices that could not be upgraded beyond iOS 12. But every standard configuration Mac that could run Mojave could be updated to Catalina. Probably from Apple’s point of view, Mojave didn’t need security updates, because those systems can be upgraded to Catalina. And there are probably a lot more devices potentially stuck on iOS 12 than 2010-2012 Mac Pro systems with upgraded GPUs that could not go past Mojave.

    It’d be nice if Apple kept supporting old OSes, but it’s pretty well established now that they support three years worth, and, even as somebody who likes to keep devices as long as possible, I’d rather they work on securing current OSes than spend time on legacy versions.

  5. Perhaps. But Catalina is no ordinary point update: it terminates all 32 bit software support. Updating from Mojave can be immensely disruptive, as many of us remember ourselves.

    I don’t expect software to be supported forever. My real concern is how Apple turns off vital security support without even telling the remaining users. Without researching online, you can’t tell your Mac is now wide open to actively exploited MacOS vulnerabilities. All Software Update will ever tell you is “Your Mac is up to date.” Which is a lie.

  6. Out of interest, if I resorted to running Mojave in a virtual machine (eg Parallels) would it still be vulnerable to some security problems?

  7. Some, yes. Many malware developers recently have had a habit of checking to see if they are in a VM which is a common way that security experts test for malware without causing damage to their main OS. If that type of malware detects that it’s running in a VM it will stop the infection and often delete itself in the process.

  8. Additionally, if you’re running in a VM, you can selectively enable, disable hardware features (like networking interfaces).

    Most malware these days spreads/operates via Internet connections. If the app you need the old OS for doesn’t require network connectivity to operate, you can disable the VM’s network interface (or disable networking in the guest OS). This alone will protect it quite a bit.

    If you need network access for a specific activity (e.g. updating an app via the App Store), you can enable networking, perform your task, and then disable it again.

    And, of course, you can (and should) run a firewall app in the VM (Apple’s Firewall and probably something like Little Snitch), cranked up to maximum security, so it only permits the specific connections you require and nothing else.

Join the discussion in the TidBITS Discourse forum

Participants