Software & Apps

Apple releases macOS Catalina 10.15.3, iOS 13.3.1, and more

Posted on January 28th, 2020 by

This week Apple released updates to all of its operating systems and Safari browser. Here’s a brief rundown of new features and security-related fixes included with each update.

iOS 13.3.1 and iPadOS 13.3.1

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Apple describes the update’s new features as follows:

Includes bug fixes and improvements. This update:

  • Fixes an issue in Communication Limits that could allow a contact to be added without entering the Screen Time passcode
  • Adds a setting to control the use of location services by the U1 Ultra Wideband chip
  • Addresses an issue that could cause a momentary delay before editing a Deep Fusion photo taken on iPhone 11 or iPhone 11 Pro
  • Resolves an issue with Mail that could cause remote images to load even when the “Load Remote Images” setting is disabled
  • Fixes an issue that could cause multiple undo dialogs to appear in Mail
  • Addresses an issue where FaceTime could use the rear facing ultra-wide camera instead of the wide camera
  • Resolves an issue where push notifications could fail to be delivered over Wi-Fi
  • Addresses a CarPlay issue that could cause distorted sound when making phone calls in certain vehicles
  • Introduces support for Indian English Siri voices for HomePod.

Some security related issues were addressed as well: 23, to be exact. Here’s a sampling of some interesting ones:

FaceTime
Impact: A remote FaceTime user may be able to cause the local user’s camera self-view to display the incorrect camera
Description: An issue existed in the handling of the local user’s self-view. The issue was corrected with improved logic.

ImageIO
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.

Mail
Impact: Turning off “Load remote content in messages” may not apply to all mail previews
Description: This issue was addressed with improved setting propagation.

Screenshots
Impact: Screenshots of the Messages app may reveal additional message content
Description: An issued existed in the naming of screenshots. The issue was corrected with improved naming.

Eight of the fixes were for bugs in the kernel, the core component of the operating system, addressing serious issues such as arbitrary code execution and apps being able to access restricted memory.

The full list of security issues addressed can be found here.

iOS 12.4.5

Listed simply as an update that provides important security updates and is recommended for all users, Apple has not released security notes for this update.

Regardless of whether your device is compatible with iOS 13 or iPadOS, or if it is limited to iOS 12, you can obtain the updates over the air (without tethering to a computer) by going to Settings > General > Software Update. You can also connect your device to your Mac (or Windows PC with iTunes) to install the update.

tvOS 13.3.1

Apple simply states that tvOS 13.3.1 includes general performance and stability improvements. Available for the Apple TV HD and Apple TV 4K’s, a total of 14 security issues were addressed. Most of them the same as those addressed in iOS and iPadOS 13.3.1. Kernel, ImageIO and Audio all had some work done to make them more secure.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 6.1.2

Apple says that watchOS 6.1.2 “provides important security updates and is recommended for all users.” A total of 15 security-related issues were fixed, and as you’ve come to expect, these are the same issues addressed in iOS, iPadOS, and tvOS.

The full list of security issues addressed can be found here.

Safari 13.0.5

The latest version of Safari, available for macOS Mojave and High Sierra, brings a few bug fixes and enhancements that improve overall security. Only two security issues were addressed:

Safari
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.

Safari Login AutoFill
Impact: A local user may unknowingly send a password unencrypted over the network
Description: The issue was addressed with improved UI handling.

Safari 13.0.5 can be downloaded through the Updates tab of the App Store for High Sierra and through System Preferences > Software Update for Mojave. For macOS Catalina, it is included in macOS 10.15.3.

macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra

Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:

The macOS Catalina 10.15.3 update improves the stability, reliability, and security of your Mac, and is recommended for all users.

  • Optimizes gamma handling of low gray levels on Pro Display XDR for SDR workflows when using macOS
  • Improves multi-stream video editing performance for HEVC and H.264-encoded 4K video on the MacBook Pro (16-inch, 2019)

There were 32 security related fixes included for macOS Catalina, but only 17 of them are available for Mojave and High Sierra. Some of the more interesting updates include:

autofs
Available for: macOS Catalina 10.15.2
Impact: Searching for and opening a file from an attacker controlled NFS mount may bypass Gatekeeper
Description: This was addressed with additional checks by Gatekeeper on files mounted through a network share.

sudo
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2
Impact: Certain configurations may allow a local attacker to execute arbitrary code
Description: A buffer overflow issue was addressed with improved memory handling.

Wi-Fi
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A memory corruption issue was addressed with improved input validation.

Image Processing
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.

The full list of security issues addressed can be found here. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update) instead. Standalone updates can also be downloaded from the following links:

Whether you’re using iOS, iPadOS, or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on on the Intego Mac Podcast, Intego’s experts discuss security, privacy, and Apple-related topics. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →