iOS 12.5.5 and Security Update 2021-006 Catalina Block Exploited Vulnerabilities
Apple has released iOS 12.5.5 and Security Update 2021-006 for macOS 10.15 Catalina to address some particularly concerning security holes.
iOS 12.5.5 fixes three vulnerabilities. The first is the PDF vulnerability that enabled the Pegasus spyware used against activists. Apple fixed that in its more-current operating systems earlier this month (see “macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina Fix Security Flaws,” 13 September 2021).
As for the other two vulnerabilities, one is a WebKit flaw that could lead to arbitrary code execution, and the other is a bug in the Darwin XNU kernel that allows an attacker to execute code with kernel privileges. Security Update 2021-006 Catalina fixes only the kernel bug. Apple notes that all three vulnerabilities have been exploited in the wild.
If you’re still running either of these older operating systems, you should update immediately. You can install iOS 12.5.5 in Settings > General > Software Update and Security Update 2021-006 Catalina in System Preferences > Software Update.
Interestingly, Apple words its awareness of the exploits in two different ways. For the PDF and WebKit vulnerabilities, the company says, “Apple is aware of a report that this issue may have been actively exploited.” For the XNU vulnerability, it says, “Apple is aware of reports that an exploit for this issue exists in the wild.” The difference could be random, relate purely to the number of reports, or mean something specific.
So this is interesting. The XNU bug was also fixed long ago in iOS 14.4/iPadOS 14.4 and in macOS 11.0.1 Big Sur, which came out on 1 February 2021. I wonder what happened that caused Apple to backpatch the older operating systems with it only now.
I just searched Apple Support for info about Mojave and XNU. Came up with nothing but this page was interesting:
I’m pretty certain that it was this: “Apple is aware of reports that an exploit for this issue exists in the wild.” but I can’t explain why it was necessary to patch the very same CVE again in the newer systems. Several possibilities:
Doubt we’ll ever know.
Security updates for (Mojave?) Safari and iPadOS 14.8 have been released.
There’s dropping critical security support for older releases, and then there’s not telling anyone about it:
I’ve no need to run Mojave myself, and my only Mac (besides my 12 inch PowerBook!) is an M1 Air so this does not affect me. But ultimately all Macs enter the twilight where it becomes unclear how safe they are to use online (and therefore much at all). Clarity would be better than silence.
To be fair, there are iOS devices that could not be upgraded beyond iOS 12. But every standard configuration Mac that could run Mojave could be updated to Catalina. Probably from Apple’s point of view, Mojave didn’t need security updates, because those systems can be upgraded to Catalina. And there are probably a lot more devices potentially stuck on iOS 12 than 2010-2012 Mac Pro systems with upgraded GPUs that could not go past Mojave.
It’d be nice if Apple kept supporting old OSes, but it’s pretty well established now that they support three years worth, and, even as somebody who likes to keep devices as long as possible, I’d rather they work on securing current OSes than spend time on legacy versions.
Perhaps. But Catalina is no ordinary point update: it terminates all 32 bit software support. Updating from Mojave can be immensely disruptive, as many of us remember ourselves.
I don’t expect software to be supported forever. My real concern is how Apple turns off vital security support without even telling the remaining users. Without researching online, you can’t tell your Mac is now wide open to actively exploited MacOS vulnerabilities. All Software Update will ever tell you is “Your Mac is up to date.” Which is a lie.
Out of interest, if I resorted to running Mojave in a virtual machine (eg Parallels) would it still be vulnerable to some security problems?
Some, yes. Many malware developers recently have had a habit of checking to see if they are in a VM which is a common way that security experts test for malware without causing damage to their main OS. If that type of malware detects that it’s running in a VM it will stop the infection and often delete itself in the process.
Additionally, if you’re running in a VM, you can selectively enable, disable hardware features (like networking interfaces).
Most malware these days spreads/operates via Internet connections. If the app you need the old OS for doesn’t require network connectivity to operate, you can disable the VM’s network interface (or disable networking in the guest OS). This alone will protect it quite a bit.
If you need network access for a specific activity (e.g. updating an app via the App Store), you can enable networking, perform your task, and then disable it again.
And, of course, you can (and should) run a firewall app in the VM (Apple’s Firewall and probably something like Little Snitch), cranked up to maximum security, so it only permits the specific connections you require and nothing else.
Join the discussion in the TidBITS Discourse forum