Security & Privacy

Apple releases iOS 12.3, macOS Mojave 10.14.5, and more security updates

Posted on May 13th, 2019 by

This week, Apple released updates to all of its operating systems and Safari for Mac. Here's a brief rundown of new features and security related fixes included with each update.

iOS 12.3

This update includes support for AirPlay 2-enabled TVs, features a redesigned Apple TV app and includes bug fixes and improvements. It also contains 42 security fixes. A few of the highlights:

Lock Screen
Impact: A person with physical access to an iOS device may be able to see the email address used for iTunes
Description: A logic issue was addressed with improved restrictions.

Contacts
Impact: A malicious application may be able to read restricted memory
Description: An input validation issue was addressed with improved input validation.

Mail
Impact: Processing a maliciously crafted message may lead to a denial of service
Description: An input validation issue was addressed with improved input validation.

MobileLockdown
Impact: A malicious application may be able to gain root privileges
Description: An input validation issue was addressed with improved input validation.

Photos Storage
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: An access issue was addressed with additional sandbox restrictions.

Wi-Fi
Impact: A device may be passively tracked by its WiFi MAC address
Description: A user privacy issue was addressed by removing the broadcast MAC address.

Also included were 3 kernel fixes and 21 WebKit fixes, among others. All in all, a large amount of CVEs were addressed in this update, so it is recommended to install it sooner rather than later.

The full list of security issues addressed can be found here. iOS 12.3 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac (or Windows PC) and install the update via the iTunes app.

iOS 12 (including 12.3) is compatible with iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Older devices that cannot run iOS 12 are no longer receiving critical security updates.

Notably, Apple still has not addressed the iOS Safari issue that allows anyone to send fake news headlines to other iMessage users.

tvOS 12.3

This update for Apple TV 4K and Apple TV HD—formerly known as the Apple TV (4th generation)—includes general performance and stability improvements and a new Apple TV app. A total of 35 security issues were addressed, all of which were addressed in iOS 12.3; kernel, WebKit and Wi-Fi all had some work done to make them more secure.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

Apple TV Software 7.3

Unexpectedly, the old Apple TV (3rd generation), which Apple sold from 2012 to 2016, also received a software update. The update only included 3 security fixes: one for Bluetooth and two for Wi-Fi.

The very short list of security issues addressed can be found here. You can download and install the update by going to Settings > System > Software Update > Update Software.

watchOS 5.2.1

watchOS received a few new watch faces and all the other work was done in the form of security fixes. A total of 21 security issues were fixed, and as one might expect, these are the same as the ones addressed in iOS and tvOS (as many as applied to the Apple Watch operating system).

The new watchOS can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Note that the original line of Apple Watch (nicknamed Series 0) is no longer getting security updates, and is stuck with watchOS 4.3.2 which was released in July 2018.

Safari 12.1.1

The latest version of Safari for Mac—available for macOS High Sierra and Sierra users, and included with macOS Mojave 10.14.5—brings a few bug fixes and enhancements that improve overall security; 21 security issues were addressed, all of which are for WebKit.

The full list of security issues addressed can be found here. For macOS High Sierra and Sierra users, the new Safari 12.1.1 can be downloaded through the Updates tab of the App Store. For macOS Mojave users it is included in macOS 10.14.5.

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra

Last but not least, macOS received some updates: security-only updates for Sierra and High Sierra users, and a security-plus-feature update for Mojave users. The update for Mojave includes the following enhancements and fixes to the OS:

  • Adds AirPlay 2 support for sharing videos, photos, music and more from your Mac directly to your AirPlay 2-enabled smart TV.
  • Adds the ability to follow a magazine from the Apple News+ catalog browsing view (available in the U.S. and Canada only).
  • Improves audio latency on MacBook Pro models introduced in 2018.
  • Fixes an issue that prevented certain very large OmniOutliner and OmniPlan documents from rendering properly.
  • Disables accessories with insecure Bluetooth connections.
  • Fixes an issue that prevented resetting the user account password from the login window after using a personal recovery key (PRK) to unlock the FileVault volume.
  • Fixes an issue that prevented the InstalledApplicationList MDM command from recognizing that updates are available for apps installed via VPP.

Of course, there are security related fixes included as well: 51 security updates to be exact. These include:

Application Firewall
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved restrictions.

DesktopServices
Available for: macOS Mojave 10.14.4
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved checks.

EFI
Available for: macOS Mojave 10.14.4
Impact: A user may be unexpectedly logged in to another user’s account
Description: An authentication issue was addressed with improved state management.

StreamingZip
Available for: macOS Mojave 10.14.4
Impact: A local user may be able to modify protected parts of the file system
Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

Touch Bar Support
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.

The Mojave update includes brand new microcode (by way of an EFI firmware update) to mitigate speculative execution vulnerabilities in Intel CPUs. You may recall that Spectre and Meltdown were speculative execution exploits, which was followed by Foreshadow-NG (addressed in macOS Mojave 10.14.1), and now there is a new attack called ZombieLoad (discussed on episode 83 of the Intego Mac Podcast). More on the microcode content of the update can be found in Apple's documentation here. Notably, users will need to manually enable full mitigation through a manual process, if they choose to do so; it can cause up to a 40% reduction in system performance for some tasks, and since the vulnerability is not known to be exploited in the wild yet, Apple isn't enabling full mitigation by default. Stay tuned for an Intego article about ZombieLoad for further information.

The full list of security issues addressed for macOS can be found here. Users of macOS Mojave, High Sierra, and Sierra can install the updates via Apple menu > System Preferences... > Software Update.

iTunes Device Support Update

macOS users may also see an iTunes Device Support Update in their list of available software updates. Listed as an update that ensures proper updating and restoring for iOS devices using iTunes for Mac, no further details are provided by Apple, so what this update does exactly is currently unknown. No security-related fixes are mentioned for this update.

Back up your Macs and iOS devices before updating

Whether you're using iOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Intego's experts discussed ZombieLoad and other major security vulnerabilities on this week's episode 83 of the Intego Mac Podcast. Be sure to subscribe to make sure you never miss the latest episode. You'll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →