Software & Apps

Apple’s macOS Catalina 10.15 addresses security bugs

Posted on October 8th, 2019 by

Apple’s latest Mac operating system, macOS Catalina, is here, and with it comes a long list of new features and functionality: a new podcast app, Sidecar, Screen Time, accessibility improvements, snapshot restore—and, of course, security enhancements, some of which we initially reported about in our coverage of the WWDC 2019 keynote.

Some of the new security enhancements include an enhanced Gatekeeper, data protections that check with you when an app wants to access certain data, and a dedicated system disk volume from which the operating system runs, which is now read-only. This last feature will improve reliability while minimizing malware and limiting unauthorized processes’ ability to tinker with the system.

The list is long and there is much to explore, but in addition to the features noted above, there are more security improvements with less fanfare from Apple.

Security vulnerabilities addressed

Released on October 7th, Apple listed a total of sixteen security issues addressed in the initial public release of macOS Catalina 10.15. These include, but are not limited to:

AMD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.

CoreAudio
Impact: Processing a maliciously crafted movie may result in the disclosure of process memory
Description: A memory corruption issue was addressed with improved validation.

Intel Graphics Driver
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.

Notes
Impact: A local user may be able to view a user’s locked notes
Description: The contents of locked notes sometimes appeared in search results. This issue was addressed with improved data cleanup.

Last week on the Intego Mac Podcast, Josh and Kirk mentioned a yet-unresolved PDF vulnerability. This issue appears to have been addressed in Catalina:

PDFKit
Impact: An attacker may be able to exfiltrate the contents of an encrypted PDF
Description: An issue existed in the handling of links in encrypted PDFs. This issue was addressed by adding a confirmation prompt.

An attacker being able to read the contents of an encrypted PDF is a nightmare scenario for those that rely on password-protected PDF documents. Encrypted PDFs are used by many corporations that exchange sensitive information, including medical and legal services, so this was an important issue for Apple to address quickly.

Among the other issues addressed were two kernel and two WebKit issues. The full list of addressed issues can be found here.

To install macOS Catalina, you can find it in the Mac App Store and install it from there, or click the notification prompt when it pops up on your Mac.

No corresponding updates have been released for macOS Mojave (10.14) or macOS High Sierra (10.13), so as of the time of writing the only way to be protected from these security vulnerabilities is to upgrade to Catalina.

The release of Catalina also marks macOS Sierra (10.12) as officially unsupported. No further security or maintenance updates will be released for that operating system.

If you think that sixteen security patches in a brand new OS seems a bit low, you’re probably right. We fully expect this list to be amended when Apple releases security updates for its other operating systems, so it’s worth circling back later to see what has been added. (When macOS Mojave was initially released, Apple’s security documentation mentioned 55 resolved issues, but if you check that same page today, you’ll see 65 resolved issues listed.)

Catalina is available for:

  • MacBook (Early 2015 and later)
  • MacBook Air (Mid 2012 and later)
  • MacBook Pro (Mid 2012 and later)
  • Mac mini (Late 2012 and later)
  • iMac (Late 2012 and later)
  • iMac Pro (all models)
  • Mac Pro (Late 2013 and later)

Unsupported Macs may also benefit from Catalina improvements

As with most new OS releases, some users of older hardware will be left out in the cold, but as explored in our article “How to keep older Macs secure: a geeky approach,” many older systems can run the latest version of macOS without being officially supported by Apple. A third-party developer has released a new macOS Catalina Patcher that allows certain unsupported Macs to run Catalina, including the following:

  • Early-2008 or newer Mac Pro, iMac, or MacBook Pro
  • Late-2008 or newer MacBook Air or Aluminum Unibody MacBook
  • Early-2009 or newer Mac Mini or white MacBook
  • Early-2008 or newer Xserve

Of course, since this upgrade method is not supported by Apple, attempting to upgrade unsupported Macs is entirely at your own risk. That said, Catalina runs amazingly well on my 2009 17″ Core 2 Duo MacBook Pro and 2012 Mac Pro thanks to this patcher, and Intego’s Josh Long has also reported success installing Catalina on his 2007 iMac:

Before you upgrade: back up your Mac, and check your apps

Regardless of whether or not your Mac officially supports Catalina, make sure all your data is backed up properly before you attempt the upgrade.

Also be aware that older, 32-bit applications will no longer work in Catalina; these include Apple’s now-defunct Aperture, the Microsoft Office 2011 suite (which is no longer getting security updates), DragThing, Wine, and a plethora of classic games. You can check your apps by going to the Apple menu > About This Mac > System Report… and then look for Applications under Software; there’s a “64-Bit (Intel)” column you can use to sort by 64-bit apps (designated as “Yes”) versus 32-bit apps (“No”). Alternatively, a third-party app such as Go64 or 32-bitCheck can check your Mac for apps that may this not be compatible with Catalina. You can also check an online database like RoaringApps (which also has a third-party app) to identify some potentially Catalina-incompatible apps. If you find any Catalina-incompatible apps on your Mac (aside from those included with macOS, which should get updated automatically), check with the developer to see if a Catalina-compatible version is available or coming soon.

Related articles:

How can I learn more?

Each week on the Intego Mac Podcast, we discuss security, privacy, Apple, and related topics. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →