If you own any kind of Apple device or software, you may want to check to see if you have an update waiting for you. This week Apple pushed a number of security fixes within larger general updates for many of its products – including some running on Windows – bringing the latest versions to:
- iOS 12.1
- Safari 12.0.1
- macOS Mojave 10.14.1 (previous macOSes will see updates via Security Updates 2018-001 High Sierra or 2018-005 Sierra)
- watchOS 5.1
- tvOS 12.1
- iCloud for Windows 7.8
- iTunes 12.9.1
The macOS updates contain fixes for 71 CVEs, 19 of which potentially allowed for arbitrary code executions at the system or kernel levels, and another six for denial of service attacks. Not every single CVE is present in every single OS but many do overlap OS versions and some of the kernel-level bugs do affect every version.
The iOS 12.1 update addresses 32 of its own CVEs, several of which address a critical-level memory corruption vulnerability in WebKit that, if exploited, could allow for arbitrary code execution – possibly remotely – via malicious web content.
Apple is notoriously tight-lipped on what’s involved here or how this attack might work, but given it’s a critical-level vulnerability and a fix exists, you’ll want to update as soon as you can. The iOS 12.1 update also fixes a cross-site scripting vulnerability in Safari.
These updates all dropped on the same day as Apple’s latest product line-up announcement, which includes updated versions of the iPad Pro and MacBook Air. With the announcement, Apple also released some new security details about its security-centric T2 chip, which has been running the MacBook Pro since 2018 and will be in the newest versions of the Air as well.
Any Apple device with the T2 chip that also has a lid (screen) that can open and close will now benefit from a hardware disconnect that ensures the microphone is disabled when the lid is closed. So if an attacker wants to eavesdrop on an unsuspecting user, even if someone has root access to a machine, closing the lid will stop them.
It seems sometimes just pulling the plug is still the best solution.
Simon McAllister
“It seems sometimes just pulling the plug is still the best solution”
And always will be. Again, we’re in a position of trust that something (T2 in this case) will always do it’s job and won’t be exploited. In the same way we trust our devices that have hard-to-remove batteries.