The Mac Security Blog

Security & Privacy

Apple releases iOS 12.2, macOS Mojave 10.14.4, watchOS 5.2 with critical security updates

Posted on by

This week, Apple released updates to all of its operating systems, Safari for Mac, and other software. Here’s a brief rundown of new features and security related fixes included with each update.

iOS 12.2

Listed as an update that provides support for Apple News+, adds the ability for Siri to play videos from your iOS device to Apple TV, and includes four new Animoji. The update also includes bug fixes and improvements.

But this update does not just contain new features and enhancements; it also contains a whopping 51 security fixes. A few of the highlights:

FaceTime
Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing
Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.

file
Impact: Processing a maliciously crafted file might disclose user information
Description: An out-of-bounds read was addressed with improved bounds checking.

GeoServices
Impact: Clicking a malicious SMS link may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.

Mail
Impact: Processing a maliciously crafted mail message may lead to S/MIME signature spoofing
Description: This issue was addressed with improved checks.

Privacy
Impact: A malicious app may be able to track users between installs
Description: A privacy issue existed in motion sensor calibration. This issue was addressed with improved motion sensor processing.

Several serious kernel, WebKit, and other vulnerabilities were fixed. All in all, a huge number of security bugs were addressed in this update, so it is strongly recommended to install it sooner rather than later.

The full list of security issues addressed can be found here. iOS 12.2 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac (or Windows PC) and install the update via the iTunes app.

Notably, Apple still has not addressed the iOS Safari issue that allows anyone to send fake news headlines to other iMessage users.

tvOS 12.2

Available for the Apple TV HD—formerly known as the Apple TV (4th generation)—and Apple TV 4K, 36 security issues were addressed. Most of them the same as those addressed in iOS 12.2; the kernel, WebKit, and Siri all had some work done to make them more secure. Feature wise, the Apple TV only gains the ability to play videos that you ask Siri to play on your iOS device.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

Safari 12.1

The latest version of Safari for Mac—available for macOS Mojave, High Sierra, and Sierra users—brings a few enhancements that improve overall security.

Safari will now let you know when a website is loaded without encryption, this warning is displayed in the address bar. Support for the Do Not Track standard (which had good intentions, but never gained widespread advertisers) has been removed as well. Adoption of this standard was low and having it enabled actually made the browser more identifiable online as the setting becomes part of your browser fingerprint. 20 security related issues were addressed of which 18 are for WebKit and 2 are for Safari Reader.

The full list of security issues addressed can be found here. The new Safari 12.1 can be downloaded through the Updates tab of the App Store. For macOS Mojave users it is included in macOS 10.14.4

macOS 10.14.4, Security Update 2019-002 High Sierra, and Security Update 2019-002 Sierra

Last but not least, macOS got some update love. Security Updates for Sierra and High Sierra users and a security + feature update for Mojave users. Mojave now supports Apple News+, Safari adds Dark Mode support for websites with custom color schemes and iTunes enhanced the editorial highlights in the Browse tab. Also added was support for the 2nd generation AirPods. Further enhancements and fixes to the OS include:

  • Supports Air Quality Index in Maps for US, UK, and India.
  • Improves the quality of audio recordings in Messages.
  • Supports real-time text (RTT) for phone calls made through a nearby iPhone on Mac.2
  • Provides enhanced support for external GPUs in Activity Monitor.
  • Fixes an App Store issue that may have prevented adoption of the latest versions of Pages, Keynote, Numbers, iMovie, and GarageBand.
  • Improves the reliability of USB audio devices when used with MacBook Air, MacBook Pro, and Mac mini models introduced in 2018.
  • Corrects the default screen brightness for the MacBook Air introduced in 2018.
  • Fixes a graphics compatibility issue that may occur on some external displays connected to Mac mini (2018).
  • Resolves Wi-Fi connection issues that may occur after upgrading to macOS Mojave.
  • Fixes an issue where re-adding an Exchange account may cause it to disappear from Internet Accounts.
  • Fixes an issue where AOL user passwords may be frequently requested in Mail.

Of course there are more security related fixes included as well, 38 to be exact. These include:

Bom
Available for: macOS Mojave 10.14.3
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved handling of file metadata.

DiskArbitration
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password
Description: A logic issue was addressed with improved state management.

Graphics Drivers
Available for: macOS Mojave 10.14.3
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.

Time Machine
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: A local user may be able to execute arbitrary shell commands
Description: This issue was addressed with improved checks.

There is some overlap with the security fixes in iOS and tvOS due to shared code among OS versions. The earlier mentioned FaceTime pause bug is one of them.

The full list of security issues addressed can be found here. macOS Sierra and High Sierra users can find the security update in the App Store app under the Updates tab. Mojave users should visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update) instead; on Mojave the App Store app will no longer list operating system updates. At the time of writing a Combo Update was not yet available for download.

watchOS 5.2

Although the other updates listed above were released on Monday, Apple waited until Wednesday to release the watchOS update; it’s unclear why there was a delay.

Since watchOS shares much of its code with iOS and tvOS, many the same vulnerabilities were fixed (29 in all; see the full list here).

Aside from security updates, watchOS 5.2 expands support for the ECG app and irregular heart rhythm notifications to Hong Kong and some regions of Europe (listed here), and supports AirPods (2nd generation).

To update to watchOS 5.2, you must first update your iPhone to iOS 12.2, then connect the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update and tap Download and Install.

Xcode 10.2

Apple’s software development app, Xcode, also received an update that fixed one security vulnerability (listed here). Oddly, the security bug addressed by this update seems to have been patched in all of Apple’s operating systems in early December 2018.

Apple software updates for Windows

Apple also released updates for the Windows versions of its software, namely iTunes 12.9.4 for Windows (19 vulnerabilities, detailed here) and iCloud for Windows 7.11 (20 vulnerabilities, detailed here).

Most of the security issues fixed were the same WebKit vulnerabilities addressed in the software listed above.

Back up your Macs and iOS devices before updating

Whether you’re using iOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Be sure to check out these other articles related to the March 25 Apple Event:

At your service: The full lowdown on Apple TV+, Apple News+, Apple Card, and Apple Arcade

First look at Apple News+

Intego’s experts will discuss Apple’s new services in depth on this week’s episode of the Intego Mac Podcast, so be sure to subscribe to make sure you don’t miss the latest episode. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the ? to get notified about new videos).

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →