Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Over 40 Vulnerabilities in macOS Catalina

Apple this week released security updates to address over fifty vulnerabilities impacting macOS and Safari.

Apple this week released security updates to address over fifty vulnerabilities impacting macOS and Safari.

A total of 44 security flaws were fixed with the release of macOS Catalina 10.15.5, impacting components such as Accounts, AirDrop, Audio, Bluetooth, Calendar, ImageIO, Kernel, ksh, PackageKit, Sandbox, SQLite, USB Audio, Wi-Fi, and zsh, among others.

Eighteen of these vulnerabilities are specific to macOS Catalina, but many impact macOS High Sierra and macOS Mojave as well, and patches were released for those platform iterations as well.

What’s more, Apple addressed two other vulnerabilities that impact macOS Mojave only, as well as two more that affect macOS Mojave and macOS High Sierra.

The component impacted the most was Kernel, which received patches for a total of 10 vulnerabilities. Next in line was Wi-Fi, with fixes for 5 vulnerabilities.

The addressed issues could result in denial of service, the circumvention of sandbox restrictions, leak of private information, arbitrary code execution, exfiltration of user information, elevation of privilege, sandbox escape, memory leak, execution of arbitrary shell commands, and privacy preferences bypass, among others.

All these security bugs were fixed with the release of macOS Catalina 10.15.5, Security Update 2020-003 for Mojave, and Security Update 2020-003 for High Sierra.

Apple also patched 10 vulnerabilities with the rollout of Safari 13.1.1, which is now available for macOS Mojave and macOS High Sierra, and included in macOS Catalina.

Advertisement. Scroll to continue reading.

The first of the bugs could result in a malicious process causing Safari to launch an application. The remaining nine flaws affect Webkit and could result in arbitrary code execution, cross-site scripting, or the disclosure of process memory.

This week, the Cupertino-based tech company also made available version 2.2.0.0 of Windows Migration Assistant for macOS Catalina, which fixes an arbitrary code execution vulnerability.

A total of 12 vulnerabilities were patched with the release of iCloud for Windows, including arbitrary code execution, denial of service, and cross-site scripting issues. Two iterations of the application are available, namely version 11.2 for Windows 10 and later via the Microsoft Store, and version 7.19 for Windows 7 and later.

The new set of updates arrived roughly one week after the release of patches for iOS, tvOS, watchOS, and Xcode.

iOS 13.5 and iPadOS 13.5 arrived with fixes for more than 40 vulnerabilities last week, but at least one security flaw remained unpatched, allowing the team behind the popular jailbreak tool unc0ver to include an exploit for it in their latest release.

In an alert published on Tuesday, the CERT Coordination Center warned that this unspecified vulnerability resides in the iOS kernel and that it could allow any malicious application to achieve unsandboxed, kernel-level code execution.

“This vulnerability is being used by the public unc0ver 5.0 jailbreak utility, which claims to support all devices from iOS 11 through 13.5, excluding versions 12.3-12.3.2 and 12.4.2-12.4.5. It is also reported that this jailbreak works on modern iOS devices that use a CPU that supports Pointer Authentication Code (PAC), which indicates that PAC does not prevent exploitation of this vulnerability,” the alert reads.

Related: Jailbreak Tool Updated to Unlock iPhones Running iOS 13.5

Related: Apple Finds No Evidence of Attacks Targeting iOS Mail App Vulnerabilities

Related: Apple Patches Code Execution Vulnerabilities Across Product Portfolio

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.