Apple has issued its January security updates fixing a list of mostly shared CVE flaws affecting iOS and macOS with a smattering for Safari, watchOS, tvOS, and iCloud for Windows.
This latest version fixes a sizable list of CVEs for the iPhone 5s and later, and the iPad and iPod Touch 6th Generation. Almost all were reported to Apple by external researchers.
Fixes for the WebKit browser engine make up another nine CVEs, including CVE-2019-6229 which might allow cross-site scripting through a malicious web page.
Kernel-level flaws account for six CVEs, all of which would allow an attacker able to sneak a malicious app past Apple to elevate privileges, break out of the sandbox, or execute malicious code.
The update should appear without intervention or you can check manually by clicking Settings > General > Software Update.
macOS v10.14.3 Mojave
Also known as Security Update 2019-001 for Sierra and High Sierra, most of the CVEs mentioned in the iOS v12.1.3 update appear here too, including those for BlueTooth, FaceTime, WebRTC, CoreAnimation, SQLite, IOKit, and those affecting the kernel.
Those specific to macOS Sierra/High Sierra are CVE-2018-4452, an RCE weakness affecting the Intel Graphics Driver, and CVE-2018-4467, which might allow a privilege elevation issue affecting the OS’s hypervisor.
Affecting all versions is CVE-2019-6220, an out-of-bounds flaw in QuartzCore that could allow an attacker to read restricted memory.
Updating can be initiated through System Preferences > Software Update. If you haven’t clicked the box marked, Automatically keep my Mac up to date it might be a good idea to do that now.
Finally, Apple update wouldn’t be complete without something for Safari, which gets CVE-2019-6228, fixing a cross-site scripting vulnerability with better URL validation in the browser’s Reader.