The Mac Security Blog

Security News

Apple Releases iOS 14.6, watchOS 7.5, macOS 11.4 and More, with Many Security Fixes

Posted on by

This week, Apple again released updates to all of their operating systems and to the Safari web browser. One of the zero-day security vulnerabilities that was patched allowed malware to take screenshots on infected Macs. The malware, named XCSSET, was found to be actively exploiting this vulnerability in the wild.
XCSSET was discovered late last year and targets Mac developers by infecting Xcode projects, using them to spread through Github repositories.

The good news for VirusBarrier users is that you’ve been protected from the XCSSET malware while Apple scrambled to implement these fixes.

iOS 14.6 and iPadOS 14.6

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
New features, functionality and bug fixes include:

  • Apple Card can be shared with up to five people, including anyone 13 years or older in your Family Sharing group
  • Lost mode option to add an email address instead of a phone number for AirTag and Find My network accessories
  • Unlock with Apple Watch may not work after using Lock iPhone on Apple Watch
  • Bluetooth devices could sometimes disconnect or send audio to a different device during an active call

With the last update less than three weeks ago, Apple still managed to fix 43 security related issues. Here are some of them:

Core Services
Impact: A malicious application may be able to gain root privileges
Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

ImageIO
Impact: Processing a maliciously crafted image may lead to disclosure of user information
Description: An out-of-bounds read was addressed with improved bounds checking.

Kernel
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved validation.

Mail
Impact: Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination
Description: A use after free issue was addressed with improved memory management.

Notes
Impact: A user may be able to view restricted content from the lockscreen
Description: A window management issue was addressed with improved state management.

The full list of security issues addressed can be found here.

To install these latest updates, go to Settings > General > Software Update on your device. You can also connect your device to a Mac or Windows PC and use iTunes, or the Finder (in macOS Catalina or Big Sur), to update it.

iOS 12 & 13

No updates were made available for iOS 12 or 13 again. With the severity of the issues fixed in iOS 14 so far, continued use of these older iOS versions is not recommended. No further updates, or a dramatic decrease in frequency in updates, for these older iOS versions are expected in the future.

tvOS 14.6

Available for: the Apple TV HD and Apple TV 4K
No new features or functionality this time around, just the typical performance and stability improvements. Of course there are some security related fixes as well, 26 of them, most of which are the same as those addressed in iOS and iPadOS 14.6.

The full list of security issues addressed can be found here.
The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 7.5

Available for: Apple Watch Series 3 and later

watchOS 7.5 includes new features, improvements, and bug fixes:

  • Access to subscription content in the Podcasts app
  • Apple Card allows members to track expenses, manage spending, and build credit together with a Family Sharing group
  • Support for the ECG app on Apple Watch Series 4 or later in Malaysia and Peru
  • Support for irregular heart rhythm notifications in Malaysia and Peru

A total of 25 security issues were addressed. Most of them the same as those addressed in iOS 14.6, iPadOS 14.6, and tvOS 14.6.

The full list of security issues addressed can be found here.

To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network, and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

watchOS 6

As with older versions of iOS, watchOS 6 has not benefited from this round of security updates. This makes continued use of the older operating system something to reconsider.

macOS Big Sur 11.4

macOS Big Sur 11.4 adds Apple Podcasts subscriptions and channels and includes important bug fixes.

Podcasts

  • Apple Podcasts subscriptions are available for purchase via monthly and annual subscriptions
  • Channels group together collections of shows from podcast creators

This release also fixes the following issues:

  • Bookmarks in Safari may get reordered or moved into a folder that can appear hidden
  • Certain websites may not display correctly after your Mac wakes from sleep
  • Keywords may not be included when exporting a photo from the Photos app
  • Preview may become unresponsive when searching PDF documents
  • 16-inch MacBook may become unresponsive when playing Civilization VI

Then there are the security fixes, 73 in total, making this a significant update. here are a few of the highlights:

App Store
Impact: A malicious application may be able to break out of its sandbox
Description: A path handling issue was addressed with improved validation.

Dock
Impact: A malicious application may be able to access a user’s call history
Description: An access issue was addressed with improved access restrictions.

Login Window
Impact: A person with physical access to a Mac may be able to bypass Login Window
Description: A logic issue was addressed with improved state management.

Software Update
Impact: A person with physical access to a Mac may be able to bypass Login Window during a software update
Description: This issue was addressed with improved checks.

TCC
Impact: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.
Description: A permissions issue was addressed with improved validation.
This is the zero-day vulnerability the XCSSET malware was exploiting.

The full list of security issues addressed can be found here.
To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update).

Security Update 2021-003 Catalina

The latest security update for macOS Catalina includes 48 security fixes, and are the same as those found in the latest Big Sur update.

The full list of security issues addressed can be found here.
To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update)
This security update is not available yet on Apple’s downloads website at the time of writing.

Security Update 2021-004 Mojave

The latest security update for Mojave includes 42 security fixes and are the same as those found in the latest Big Sur update.

The full list of security issues addressed can be found here.
To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update)
This security update is not available yet on Apple’s downloads website at the time of writing.

It is worth noting that the Transparency Consent and Control (TTC) framework, that was patched in Big Sur to mitigate the XCSSET malware exploit, was not patched in macOS Catalina or Mojave. Catalina received one TTC patch unrelated to the malware exploit and Mojave received no TTC patches at all. As these two previous macOS versions are still supported with security updates, we can only assume that the malware was unable to exploit the framework in the same way as it did on Big Sur.

Still, users of these previous macOS versions may want to adopt the “better safe than sorry” philosophy and grab VirusBarrier for added protection.

Safari 14.1.1

Available for: macOS Catalina and macOS Mojave
This is a small update for Mojave and Catalina users that fixes 10 security vulnerabilities.
To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update). For Big Sur users the latest version of Safari is built into the 11.4 update.

Whether you’re using iOS, iPadOS, or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:
How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We discuss these security updates and more in episode 189 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →