Checklist 179: An Updates Update

Apple has released updates for a number of apps and OSes over the past couple of weeks. In this Checklist, we’ll take you through the most important of these — covering new features as well as security fixes.

macOS Catalina 10.15.4

Mac users have a few new features to look forward to with the latest version of Catalina. Finder received several tweaks, including iCloud Drive folder sharing capabilities, as well as improved access and permissions controls. Screen Time continues to beef up parents’ ability to look out for their kids online, with playback control of music videos and improvements to the Communication Limits feature. There were also some improvements in Safari, including the ability to import Chrome passwords into Keychain to allow AutoFill across devices, as well as some new features and fixes for Macs used in the enterprise.

In terms of security, Apple’s release notes list 22 fixes to existing issues in the OS (also patched in Security Update 2020-002 for both Mojave and High Sierra). We’ll discuss a few of the more important ones here.

One item that stood out was a patch to a memory issue in the AppleGraphicsControl driver, which could have allowed a malicious program to execute code with kernel privileges. If you’ve listened to the Checklist for a while, you know that the “kernel” is the core code of an operating system, which is why any vulnerability that can interfere with its operation or allow another program to run with kernel permissions is potentially very serious. The kernel is sensitive enough that Apple engineers have always been wary of allowing anyone to get too close to it, and this is probably why Apple recently deprecated kexts, or kernel extensions, for third-party app developers. Kexts were additional code written by non-Apple developers, intended to extend the functionality of the kernel so that their apps would work properly. Kexts, while important, were long seen as a potential security risk by people inside as well as outside of Apple. In Catalina, kexts have now been replaced by system extensions, which basically perform the same functions that kexts did, but run in user space instead, leaving the kernel untouched.

Apple also fixed an issue with Transparency, Consent, and Control (TCC), a feature designed to protect users by telling them what actions are being taken by different apps on their systems, and by preventing those apps from accessing data that they don’t need. In addition, TCC is involved in the enforcement of code-signing for third-party apps, which helps ensure that any app code running on a system comes from a legitimate Apple Developer. Unfortunately, a vulnerability in TCC could have allowed bad guys to bypass the code signing checks, which is obviously not something you want to happen!

There were also a couple of privacy fixes in the latest release of macOS. A bug in FaceTime could have allowed local users to view private information that they shouldn’t have been able to access: This was patched. In addition, there was an issue in Call History — now patched — that could have permitted a malicious application to get hold of your call records.

There were plenty of other security fixes as well, so this is definitely a good time to update. However, there is one important caveat, which we’ll get into at the end of these Checklist notes, so make sure you read it before updating.

iOS 13.4 and iPadOS 13.4

Apple’s mobile operating systems got some love this time around as well. In terms of features, iPadOS 13.4 delivered mouse and trackpad support to Apple’s tablet, something that iPad users had been waiting for. For those of us who like to communicate a bit more visually, Apple added nine new Memoji stickers as well. There’s also a nice recovery option included in these updates: Internet OS recovery. Previously, if you wanted to do a firmware recovery, you had to physically plug your device into a computer. Now, you’ll be able to reset and/or update devices over WiFi, no cable required. There were also some UI/UX improvements to Mail, Siri, and Keyboard.

In terms of security, WebKit — the browser engine that powers Safari and other iOS browsers — received several patches. These fixes addressed issues that could have resulted in code execution, unauthorized access to restricted memory, and more.

There were also some kernel problems addressed in this update, including fixes to system memory weaknesses that could have resulted in unauthorized memory reads or code execution, as well as a patch for a vulnerability in the IOHIDFamily kernel extension, which could have allowed code execution with kernel privileges. 

Finally, there was a nice privacy enhancement in the new iOS and iPadOS: Safari now blocks cookies for cross-site resources by default. This will make it harder for businesses and advertisers to engage in cross-site tracking. Sad news for digital marketers, alas, but a definite win for just about everyone else.

As with macOS, there were even more issues fixed in iOS 13.4 and iPadOS 13.4, so if you don’t have automatic updates enabled, you’ll want to go to the Settings menu and get the latest version of the operating system yourself. But again, as with macOS, there’s a special warning about updating this time around, so do scroll to the bottom of this page and read it before you run your updates.

watchOS 6.2 and tvOS 13.4

The Apple Watch and Apple TV both have their own operating systems, and these also received updates recently.

The tvOS update was geared more towards performance than features, but did contain some security fixes as well, which we’ll get to below.

Apple Watch users have some new features and UX improvements to look forward to. For starters, watchOS 6.2 now lets you perform in-app purchases from your wrist, which some will undoubtedly find more convenient. In addition, the update fixed a problem which had been causing music to cut out when going from a WiFi to a Bluetooth connection, and also added ECG support for later model watches in three more countries: Turkey, Chile, and New Zealand. 

In terms of security concerns addressed by the new operating systems, there are several things to note here. Many of the same issues fixed in iOS and macOS were also patched in tvOS and watchOS, including a number of kernel bugs and all of those WebKit vulnerabilities mentioned above. In addition, the new OSes addressed a problem in Icons: There was a bug that could have allowed a malicious app to learn which other applications were installed on the device — a potential privacy risk at the very least. Icons had another vulnerability in watchOS: a bug that could have allowed unauthorized, improperly permissioned disclosure of media files. This too was fixed in watchOS 6.2.

An exception to the rule

While updating your OSes is always recommended, sometimes those updates don’t go as smoothly as we’d like, because there can be compatibility issues caused when new OS versions are no longer able to interface with older devices.

Unfortunately, this seems to be the case with iOS 13.4 and macOS 10.15.4, in particular with respect to FaceTime. Here’s the problem: When devices with the new OSes attempt to connect to older phones or tablets running on iOS 9.3.5 or iOS 9.3.6, or vice versa, FaceTime doesn’t work properly. 

Normally, we’d probably tell you not to worry about it, or maybe gently suggest that it’s time for your friend to get a new mobile device! But with all that’s going on in the world, this issue is potentially serious — especially with so many of us relying on FaceTime to communicate with loved ones during lockdowns and quarantines. In fact, this compatibility issue may be a reason to hold off on updating for a while, in particular if you have older relatives who aren’t using the newest devices. If you need to FaceTime with someone who is still using one of the following devices, all of which run on iOS 9.3.5 or iOS 9.3.6, you may want to stay with your current operating system for the time being:

• iPad 2
• iPad (third generation)
• iPhone 4S
• iPad mini (first generation)
• iPod touch (fifth generation)

While it’s generally best to run OS updates right away, there are rare exceptions — and we are definitely living in exceptional times at the moment — when these rules do not apply. If you need to FaceTime with someone using a much older device, then this would be a justifiable reason to postpone updating your own device. Alternatively, you might consider helping your loved one purchase a new iThing, if you have the means, or looking into trusted, third-party video chat applications to replace FaceTime as another alternative.

That’s all for the Checklist this week, but we’ll be back with you next week with a new episode of the podcast. In the meantime, be sure to check out our archives, available at SecureMac.com/Checklist. There you can listen to all of our past shows, or read the full show notes if you prefer. We’d also invite you to reach out to us if you need some help with a security question, or if you’d like to help us pick a topic for a future Checklist. You can get in touch at Checklist@SecureMac.com.