It’s only a week since Apple’s last product updates, but it’s already time to update again.
As you probably know, Apple, unusually amongst major operating system and application producers, doesn’t have any sort of predictable schedule for its security patches.
Unlike vendors such as Microsoft (monthly), Google Android (monthly) and Mozilla (every fourth Tuesday), security updates emerge from Cupertino HQ whenever Apple thinks the time is right.
And unlike Linux, where updates come thick and fast but you can at least track the issues that are being worked on at any moment, Apple’s updates arrive not only as-and-when, but also under an official cloak of undisclosure:
For the protection of our customers, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.
Stony-faced silence
As we’ve said before, Apple rarely deviates from this stony-faced silence, which can be annoying when there’s a security problem in Apple’s code that is commonly known and already being discussed widely, yet the company still won’t say whether it’s working on a fix at all.
After all, if you’ve reported what you think is a bug but you don’t hear anything more about the issue, it’s hard to know where you stand.
Were you wrong, and it wasn’t a bug after all?
Are you being ignored because no one even noticed your report?
Or is the bug so deep and complex that it simply can’t or won’t be fixed and no one is ever going to tell you?
This time, the reason for the latest patches, which apply to macOS, iOS, iPadOS and watchOS, is clear, because four CVE-numbered critical bugs have been squashed, described as follows:
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Shortened into contemporary jargon, that means “drive-by, web-based zero-day RCE exploit.”
Drive-by attacks
Drive-by means that just visiting a website and viewing it is enough to trigger the bug, so you only need to be lured onto a booby-trapped site to take a look.
The crooks don’t need to lure you in and then also convince you to download and run a file, or to install a browser plugin, or to enter loads of personal data into an online form you didn’t expect.
Web-based means that the attack can happen right inside your browser, despite all the sandboxing and other protection that is supposed to keep browsing safe.
Zero-day means that there were zero days that you could have patched in advance, because the crooks found and started exploiting the bug first, before a patch was available.
And RCE means just what it says, namely remote code execution, where the crooks get to run remotely supplied code of their choice, decided at the time you visit their booby-trapped website.
Loosely speaking, RCE means not only that the crooks can inject and install malware onto your computer without any warnings or popups that would otherwise tip you off, but also that they can vary their attack as they choose.
Four squashed bugs
The squashed bugs are:
- CVE-2021-30665: A memory corruption issue was addressed with improved state management.
- CVE-2021-30663: An integer overflow was addressed with improved input validation.
- CVE-2021-30661: A use after free issue was addressed with improved memory management.
- CVE-2021-30666: A buffer overflow issue was addressed with improved memory handling.
Interestingly, the bug dubbed CVE-2021-30661 was already patched on 2021-04-26 (a week ago) in iOS 14.5 and macOS 11.3, but not in iOS 12, which didn’t get an update at that time.
From this, you might have inferred that the security hole was introduced to Apple’s codebase after iOS 12 came out, and therefore didn’t apply to the older iOS 12 version at all.
However, that turns out not to have been the the case, given that the CVE-2021-30661 and CVE-2021-30666 bugs fixed this time are listed as applying only to iOS 12.
As far as we can tell, no bug matching CVE-2021-30666 has yet been patched in iOS 14 or macOS 11, which once again leaves us wondering, given Apple’s notorious “no comment” attitude to the bugs it is working on, whether this bug exists in Apple’s more recent operating system versions or not.
Is this an old bug from iOS 12 that was carried forward into the current Apple codebase but has still not yet been patched there?
Or is it a bug that is unique to the older iOS 12 code that doesn’t appear in the more recent operating system releases and can therefore now be considered to have been eliminated everywhere?
Reminder. There is no iOS 13 any more. Older devices are stuck with iOS 12, which is still getting patches. But any Apple device that supported iOS 13 when it came out must now be upgraded to iOS 14.5.1 in order to be up to date with security fixes. That’s because iOS 14 replaced iOS 13, which is no longer supported at all and therefore dangerously far behind on security updates.
What to do?
Don’t delay. Get the updates today.
Even if the “in the wild” exploits for these vulnerabilities are known only to selected crooks who are keeping them carefully up their sleeves and using them only in highly targeted attacks…
… that’s no reason to be complacent about updating.
After all, security holes that one lot of crooks already know about could just as well be rediscovered, or be bought, or get stolen, by someone else.
(Don’t forget that the infamous ETERNALBLUE exploit, notoriously abused by the WannaCry virus, was apparently stolen from the US National Security Agency, even though the NSA had every reason to keep it to itself, well, eternally.)
In other words, why stay one step behind known attackers when you could move ahead?
On iDevices, go to Settings > General > Software Update.
On a Mac, it’s Apple menu > System Preferences > Software Update.
If you’re already up to date, then the updater will say so; if not, it will offer you an immediate opportunity to catch up.
The latest versions to look out for at the time of this article [2021-05-04T12:00Z] are: iOS 12.5.3, iOS/iPadOS 14.5.1, watchOS 7.4.1 and macOS 11.3.1.
If you’re still using macOS 10.14 or 10.15 (Mojave or Catalina by name), you’ll be offered an update [2021-05-05T00:05Z] entitled simply Safari 14.1, rather than an update denoted by the operating system number or name.
David C.
Fixes are now available via iOS 12.5.3.
https://support.apple.com/en-us/HT212341
Paul Ducklin
I actually linked to that very page in the article :-) However, your remark made it rather obvious to me that I hadn’t been clear about what version numbers are the ones you actually need to look out for on your update page, so I have gone back and added the details at the end, in the “What to do?” section…
…thanks for the idea!
Alex Burnham
I usually wait for the X.X.1 update before updating and note that Apple have pulled the iOS 14.5 update, informing me that my device is now up to date again running iOS 14.4.2
Jef
Is Apple’s insistence on not saying what they’re working on just a thinly veiled attempt to make their product seem more ‘safe’ and ‘secure’ to the general public (Who don’t read CVEs and often only see what apple wants them to see.).
Is it so the illusion isn’t broken that they’re just buying overpriced hardware with a vulnerable OS (Just like the competition. But locked down) that’s going to naturally have problems and isn’t perfect?
Paul Ducklin
To be fair, “what Apple wants them to see” includes the CVEs :-)
I sort of get Apple’s point – sometimes, even just hinting about what you’re fixing can act as an invitation to wannabe crooks to jump in head first right away, perhaps into a part of the codebase that they wouldn’t otherwise have looked at. (Security by obscurity is only bad if you rely on it as your primary vehicle for preventing attacks, or as an excuse for not tackling problems when you ought to.)
I am not convinced that keeping quiet until after the update in every single case really helps to maintain any illusions of invincibility, so I don’t think that’s the reason…
Ivo
What about MacOS 10.14.6?
Just got an update for Safari 14.1 – hope thats the all important one
Paul Ducklin
Yes, you’re right, that Safari 14.1 update shipped after the article went live, apparently as a standalone update for CVE-2021-30663 and CVE-2021-30665 for Catalina and Mojave (aka 10.15 and 10.14 respectively, the previous and pre-previous macOS versios that are still getting official updates). From what I can see, the rebuilt Safari was included for Big Sur (aka 11) users in the macOS 11.3.1 update.
Such a pity there isn’t a bit more clarity, completeness and cohesion in the Apple update bundles… sometimes you get an update denoted “abcOS P.Q.R” (by OS version number), somtimes it’s “Security Update Productname YYYY-00X” (by version name, year and sequence number), and sometimes by “Component G.H” (by the name of a specific app, usually Safari), and sometimes a mixture of the above.
I’ll add Safari 14.1 as a “special case” into the article, thanks!
ken
I know it sounds forlorn, but I’m still operating MacOS 10.13.6 on a pair of old MBPs to keep an important piece of software that didn’t work under 10.14 and higher, working. When the software was finally updated to work with OS 11, those old Macs were killed off, effectively leaving me at High Sierra or buy two new Macs…
My version of Safari is also only up to 13.1.2 with no update options at the App store. I never use Safari anyway, having been lifelong Netscape/Firefox user, but I note what you say about the security update presumably being bundled with it.
So do I have any options to upgrade security for these two ten-year old MBPs or do these CVEs even effect such old models and OS versions?
P.S. Updated to iOS 14.5.1 a few days ago, so I assume that’s the iOS update you are talking about?
Paul Ducklin
Newly-found bugs may affect old versions of an operating system that didn’t get patched if the buggy code is old and was therefore inherited by the newer versions that did get patched.
Given that we now know these bugs stretch back to 10.14 then you might want to assume that they affect 10.13 as well. If 10.14 and 10.15 had not received patches, however, you could perhaps have assumed that the bugs were in new code that was only introduced in macOS 11. (But you can only assume given that Apple never, or rarely, states explicitly how far back bugs reach in time.)
Given that 10.13 is unsupported since 11 came out, your only real route to upgrading security is to switch to an alternative OS that works on your older Macs and is supported, e.g. Linux.
As for iOS 14.5.1, that indeed came out on Monday 2021-05-03 and was current when the article came out…
sschifrin
For those running public betas of iOS 14.6.X?
Paul Ducklin
Good question… not sure! Apple’s “security page” HT201222 doesn’t say.
Diesel
I wonder if it will unbreak the DisplayLink problem in 11.3 . . .
Paul Ducklin
Assuming that this update is only a security fix (and that it specifically lists WebKit bugs only), I assume that it does not.
Given that you really ought to get the update anyway, because this is an in-the-wild exploit against your browser, I guess you will find out soon enough :-)