Apple sends out 11 security alerts – get your fixes now!

Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.
Confusingly, some of these updates have been available for several days already – the most recent version of iOS is 13.5, and it was officially announced on Apple’s main Security update page on 20 May 2020.
In fact, the updates listed for iOS and watchOS are still flagged [2020-05-27T12:00Z] with the words “details available soon“, even though Apple’s Security Advisories have full details.
And Apple’s updates for its non-mobile software products are covered in detail in the Advisory emails, but are not yet mentioned at all on the HT201222 security page.
For completeness, the updates are numbered APPLE-SA-2020-05-25-1 to APPLE-SA-2020-05-25-11, and cover:

iOS 13.5 and iPadOS 13.5
iOS 12.4.7
macOS Catalina 10.15.5
Security Update 2020-003 for Mojave and High Sierra
tvOS 13.4.5
watchOS 6.2.5
watchOS 5.3.7
Safari 13.1.1 (this update is built in to the Catalina fix)
iTunes 12.10.7 for Windows
iCloud for Windows 11.2
icloud for Windows 7.19
Windows Migration Assistant 2.2.0.0

The bug fixed in Windows Migration Assistant seems to be a DLL loading flaw that affects the Windows version of the software – an app that might, ironically, be the last Windows program you ever need to run.
Note that DLL loading errors generally don’t allow attackers to perform what’s called remote code execution (RCE), but merely to trick you into using a legitimate program to load up an untrusted component that’s has already been downloaded locally onto your computer.
So crooks may be able to use this sort of bug to finish off an attack (or to make an existing intrusion worse), but not to break in to start with.

What was fixed?

We counted 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.
We shan’t go over every one of them here, but we’ll note that 11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.
This is a reminder that vulnerabilities in cross-platform programming libraries may require vendors to put out updates for all the platforms on which that library is used.
Bugs such as buffer overflows and use-after-free errors can’t always be exploited on every platform, and even if they can, each variant of the exploit might need a lengthy phase of experimentation all of its own.
Nevertheless, where there’s a memory mismanagement flaw that can be triggered by remotely-supplied content, it’s wise to assume that if exploitation is possible on one platform, it can probably be figured out for other platforms, too.
For each patched bug, Apple lists its possible impact, so we filtered all the Impact: lines out of the 11 different advisories to give you an idea of the range of different issues fixed, which came to 41 in all.
We’ve shortened some of the lines slightly to make them easier to read, but the variety of bugs fixed in this round of patches is clear:

Apps may cause a system crash or write to kernel memory
Apps may execute arbitrary code with kernel privileges
Apps may gain elevated privileges
Apps may use arbitrary entitlements
Attackers in a privileged network position may intercept Bluetooth traffic
Files may be incorrectly rendered to execute JavaScript
Importing a malicious calendar invitation may exfiltrate user information
Inserting a USB device that sends invalid messages may cause a kernel panic
Local attacker may elevate their privileges
Local users may execute arbitrary shell commands
Local users may read kernel memory
Malicious PDFs may cause a crash or allow arbitrary code execution
Malicious apps may modify protected parts of the file system
Malicious apps may break out of their sandbox
Malicious apps may bypass Privacy preferences
Malicious apps may cause a denial of service or disclose memory contents
Malicious apps may determine another application's memory layout
Malicious apps may determine kernel memory layout
Malicious apps may execute arbitrary code with kernel privileges
Malicious apps may gain root privileges
Malicious audio files may lead to arbitrary code execution
Malicious emails may lead to heap corruption
Malicious emails may lead to unexpected memory modification or a crash
Malicious images may lead to arbitrary code execution
Malicious processes may cause Safari to launch an app
Malicious text messages may lead to application denial of service
Malicious web content may lead to a cross site scripting attack
Malicious web content may lead to arbitrary code execution
Malicious web content may lead to universal cross site scripting
Malicious web content may result in the disclosure of process memory
Malicious websites may exfiltrate autofilled data in Safari
Non-privileged user may modify restricted network settings
Notification contents may be visible from the lockscreen
Remote attackers may cause a denial of service
Remote attackers may cause a system crash or corrupt kernel memory
Remote attackers may cause arbitrary code execution
Remote attackers may leak memory
Remote attackers may modify the file system
Running the installer in an untrusted directory may cause arbitrary code execution
USB devices may cause a denial of serviceion
Videos may not pause in FaceTime if you exit FaceTime while the call is ringing

What does this mean?

The silver lining here is that the length of the list and the variety of bugs shown above isn’t a sign of security weakness.
It’s tempting to look at a list like the one above, or the list of 114 vulnerabilities fixed by Microsoft in this month’s Patch Tuesday, as a sign that things are getting worse.
But by that argument, a company that never puts out updates at all and thus keeps its vulnerability count at zero, would come out as perfectly secure, even though it’s likely that such a company isn’t finding bugs because it carefully isn’t looking, rather than because it’s looking carefully.
Instead, you can see the breadth and depth of today’s “here’s what we just patched” lists as a sign of cybersecurity maturity and of ever-increasing attention to detail.
That’s because bugs don’t go as far as they used to for attackers, who often need to combine multiple flaws in order to pull off remote code execution exploits.
For example, bugs that can reliably crash apps with remotely supplied data often can’t easily be “weaponised”, or used to cause a crash that ends reliably in code execution.
Attackers may need to use a memory disclosure bug first, to figure out what programs are loaded where, without which their later attempt to exploit a code execution bug might crash completely instead of taking over control.
And attackers might need to mix a privilege elevation bug in there too, or a sandbox escape, otherwise they might end up with an attack that is so constrained in what it can see and do that they might as well not have bothered.
So the days of occasional patches only for the most serious bugs labelled “remote code execution” are over.

What to do?

Regular patching of all reported issues, even those that sound unimportant on their own, is a must…
…so we are going to say what we’ve always done, and that is, “Patch early, patch often.”
Even if you have set your Mac or your iDevice to update automatically, make a point of checking regularly that you really are up to date:

• On a Mac, go to System Preferences > Software Update.
• On an iPhone or iPad, go to System > General > Software Update.

---

Latest Naked Security podcast