Security News

Apple has released updates to all of its operating systems and to the Safari web browser this week. The first round of updates was issued on Monday, but the security update notes were held back as the macOS updates had not been released yet. Now that the macOS updates have been released to the public, all the security update information is available. Here’s what’s been patched this week.

iOS 14.7 and iPadOS 14.7

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

New features, functionality and bug fixes include:

• MagSafe Battery Pack support for iPhone 12, iPhone 12 mini, iPhone 12 Pro and iPhone 12 Pro Max
• Air quality information is now available in Weather and Maps for Canada, France, Italy, Netherlands, South Korea, and Spain
• (fixed) Dolby Atmos and Apple Music lossless audio playback may unexpectedly stop
• Braille displays could show invalid information while composing Mail messages

A total of 37 security issues were addressed in the iOS and iPadOS updates as well. Here are some of them:

Find My
Impact: A malicious application may be able to access Find My data
Description: A permissions issue was addressed with improved validation.

Identity Service
Impact: A malicious application may be able to bypass code signing checks
Description: An issue in code signature validation was addressed with improved checks.

Image Processing
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.

libxml2
Impact: A remote attacker may be able to cause arbitrary code execution
Description: This issue was addressed with improved checks.

Wi-Fi
Impact: Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution
Description: This issue was addressed with improved checks.

The Wi-Fi fix likely addresses the uncontrolled format string bug that was triggered when users joined a Wi-Fi network named “%p%s%s%s%s%n”. Discovered in late June of this year, this would cause the iOS or iPadOS device to lose ability to join that network, and in most cases, any other Wi-Fi network after that. It was said Apple had addressed this bug in its iOS 14.4 release but the vulnerability could still be exploited up to and including iOS 14.6. Let’s hope this update takes care of this bug once and for all.

The full list of security issues addressed can be found here.

To update your devices, go to Settings > General > Software Update on your iPhone, iPad, or iPod touch. You can also update your device by connecting to a Mac, selecting it in the Finder, and following the instructions there. On Windows, you can do this in iTunes after connecting your device to your PC.

tvOS 14.7

Available for: the Apple TV HD and Apple TV 4K
No new features or functionality this time around, just the usual performance and stability improvements. There are also 20 security fixes, most of them the same as those addressed in iOS and iPadOS 14.7.

The full list of security issues addressed can be found here.

You can update the Apple TV by going to Settings > System > Update Software.

watchOS 7.6

Available for: Apple Watch Series 3 and later

watchOS 7.6 includes new features, improvements, and bug fixes:

• Access to subscription content in the Podcasts app
• Apple Card Family adds support for families to track expenses, manage spending with optional limits and controls, and build credit together
• Support for the ECG app on Apple Watch Series 4 or later in Malaysia and Peru
• Support for irregular heart rhythm notifications in Malaysia and Peru

A total of 21 security issues were addressed. Most of them are the same as those addressed in iOS 14.7, iPadOS 14.7 and tvOS 14.7.

The full list of security issues addressed can be found here.

To install this update, make sure your iPhone is up to date first, both your phone and watch are connected to the same Wi-Fi network and the watch has at least a 50% charge. Then open the Watch app on your phone and tap General > Software Update.

macOS Big Sur 11.5

macOS Big Sur 11.5 includes the following improvements for your Mac:

• Podcasts Library tab allows you to choose to see all shows or only followed shows

This release also fixes the following issues:

• Music may not update play count and last played date in your library
• Smart cards may not work when logging into Mac computers with the M1 chip

There are 36 security fixes. Here are a few of the highlights:

CoreServices
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: An access issue was addressed with improved access restrictions.

CoreStorage
Impact: A malicious application may be able to gain root privileges
Description: An injection issue was addressed with improved validation.

Identity Services
Impact: A malicious application may be able to access a user’s recent Contacts
Description: A permissions issue was addressed with improved validation.

Kext Management
Impact: A malicious application may be able to bypass Privacy preferences
Description: This issue was addressed with improved entitlements.

Sandbox
Impact: A malicious application may be able to access restricted files
Description: This issue was addressed with improved checks.

The full list of security issues addressed can be found here.

To get this update, go to the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update)

Security Update 2021-003 Catalina

The latest security update for Catalina includes 26 security fixes and are the same as those found in the latest Big Sur update.

The full list of security issues addressed can be found here.

To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update)

This security update is not available yet on Apple’s downloads website at the time of writing.

Security Update 2021-004 Mojave

The latest security update for Mojave includes 20 security fixes and are the same as those found in the latest Big Sur update.

The full list of security issues addressed can be found here.

To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update)

This security update is not available yet on Apple’s downloads website at the time of writing.

With macOS Monterey likely being released around September, it’s time to start thinking about upgrading to Catalina, if you’re still running Mojave and if your hardware supports it. This way you’ll benefit from security updates for another year. macOS Mojave security updates are expected to stop being released as soon as macOS Monterey is released to the public.

Safari 14.1.2

Available for: macOS Catalina and macOS Mojave.

This is a small update for Mojave and Catalina users that fixes 3 WebKit vulnerabilities.

To get this update, visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update), for Big Sur users the latest version of Safari is built into the 11.5 update.

Whether you’re using iOS, iPadOS, or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:
How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We talked about these new security updates and more in episode 197 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Jay Vrijenhoek