Software & Apps

Apple releases macOS Catalina 10.15.4, iOS 13.4, and more

Posted on March 24th, 2020 by

Apple released updates to all of its operating systems and Safari browser today. Here’s a brief rundown of new features and security-related fixes included with each update.

iOS 13.4 and iPadOS 13.4

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Apple describes these updates’ new features as follows:

iOS 13.4 introduces new Memoji stickers and iCloud Drive folder sharing from the Files app. This update also contains bug fixes and improvements.

The list of fixes is long so you can have a look at the complete list here on Apple’s website. Some highlights:

  • Adds status bar indicator to display when VPN has disconnected on iPhone models with all-screen displays
  • Fixes an issue in Mail where messages may appear out of order
  • Fixes an issue in Settings where cellular data may incorrectly display as off
  • Fixes an issue in Safari where a CAPTCHA tile may display incorrectly
  • Resolves an issue where CarPlay may lose its connection in certain vehicles

Several security related issues were addressed as well, 30 of which Apple specifically named. Here are some of them:

ActionKit
Impact: An application may be able to use an SSH client provided by private frameworks
Description: This issue was addressed with a new entitlement.

Bluetooth
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
Description: A logic issue was addressed with improved state management.

Mail
Impact: A local user may be able to view deleted content in the app switcher
Description: The issue was resolved by clearing application previews when content is deleted.

Messages
Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled
Description: A logic issue was addressed with improved state management.

Two of the fixes were for bugs in the kernel, the core component of the operating system, addressing serious issues such as the access of restricted memory by applications and arbitrary code execution. There were also several security fixes related to WebKit, a page-rendering framework utilized by Safari and many other parts of the operating system.

The full list of security issues addressed can be found here.

iOS 12.4.6

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation

Apple describes iOS 12.4.6 simply as an update that “provides important security updates and is recommended for all users.” No specific security-related release notes were available at the time of writing. Apple’s website simply states, “This update has no published CVE entries.” This statement sometimes means that security issues were addressed that can not yet be published, as those same issues exist in other operating systems that have not been fixed yet.

Regardless of whether your device is compatible with iOS 13 or iPadOS 13, or if it is limited to iOS 12, you can obtain the updates over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 13.4

Listed simply as an update that includes general performance and stability improvements. Available for the Apple TV HD and Apple TV 4K’s, a total of 20 security issues were addressed. Most of them the same as those addressed in iOS and iPadOS 13.4. Kernel, WebKit and IOHIDFamily all had some work done to make them more secure.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 6.2

Available for: Apple Watch Series 1 and later

Apple says that watchOS 6.2 “includes new features, improvements, and bug fixes.”

Apple specified 17 security-related issues that were fixed. As one might expect, these overlap with the issues addressed in the latest updates for iOS, iPadOS, and tvOS.

The full list of security issues addressed can be found here.

watchOS 5.3.6

Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed

Similar to the iOS 12.4.6 update, Apple simply states that watchOS 5.3.6 “provides important security updates and is recommended for all users.” No security-related release notes were available at the time of writing. Apple’s website simply states “This update has no published CVE entries.” Again, like the iOS 12.4.6 update, this could potentially mean that security issues were addressed that can not yet be published, as those same issues may exist in other operating systems that have not been fixed yet.

watchOS can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 13.1

The latest version of Safari, included in macOS Catalina and also available for macOS Mojave and macOS High Sierra, contains improvement to tabs, performance and security. Apple specifically names 11 security issues that were addressed, a couple of which include:

Safari Downloads
Impact: A malicious iframe may use another website’s download settings
Description: A logic issue was addressed with improved restrictions.

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.

Out of the 11 fixes, ten were for WebKit.

The full list of security issues addressed can be found here. Safari 13.1 can be downloaded through the Updates tab of the App Store for High Sierra users and through System Preferences > Software Update for Mojave users. For macOS Catalina users it is included in macOS 10.15.4.

macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra

Last but not least, macOS received some updates: security-only updates for Mojave and High Sierra, and a bugfix-plus-security update for Catalina:

macOS Catalina 10.15.4 introduces iCloud Drive folder sharing, Screen Time communication limits, Apple Music time-synced lyrics view, and more. The update also improves the stability, reliability, and security of your Mac.

The list of enhancements and fixes is long and can be viewed in full here on Apple’s website. Some highlights include:

  • Communication limits for controlling who your children can communicate with and be contacted by throughout the day and during downtime
  • Playback control of music videos for your children
  • Option to import Chrome passwords into your iCloud Keychain for easy AutoFill of your passwords in Safari and across all your devices
  • Head pointer preference for moving a cursor on the screen based on the precise movements of your head

Of course there are security-related fixes included as well, of which Apple specifically names 27. Six of these are available for macOS High Sierra and Mojave. The security fixes include:

Bluetooth
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read was addressed with improved input validation.

Call History
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to access a user’s call history
Description: This issue was addressed with a new entitlement.

FaceTime
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to view sensitive user information
Description: A logic issue was addressed with improved state management.

Mail
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A remote attacker may be able to cause arbitrary javascript code execution
Description: An injection issue was addressed with improved validation.

Time Machine
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to read arbitrary files
Description: A logic issue was addressed with improved state management.

The full list of security issues addressed can be found here. macOS High Sierra users can find the security update in the App Store app under the Updates tab. Mojave and Catalina users should visit the Software Update pane in System Preferences (Apple menu > System Preferences… > Software Update) instead. Standalone updates can also be downloaded from the following links:

Whether you’re using iOS, iPadOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on on the Intego Mac Podcast, Intego’s experts discuss security, privacy, and Apple-related topics. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →