iOS 12.5.5 and Security Update 2021-006 Catalina Block Exploited Vulnerabilities

Originally published at: iOS 12.5.5 and Security Update 2021-006 Catalina Block Exploited Vulnerabilities - TidBITS

Apple has updated iOS 12 and macOS 10.15 Catalina to address severe security vulnerabilities that are actively being exploited in the wild. Update right away.

So this is interesting. The XNU bug was also fixed long ago in iOS 14.4/iPadOS 14.4 and in macOS 11.0.1 Big Sur, which came out on 1 February 2021. I wonder what happened that caused Apple to backpatch the older operating systems with it only now.

I just searched Apple Support for info about Mojave and XNU. Came up with nothing but this page was interesting:

I’m pretty certain that it was this: “Apple is aware of reports that an exploit for this issue exists in the wild.” but I can’t explain why it was necessary to patch the very same CVE again in the newer systems. Several possibilities:

  • The fix wasn’t carried over to a subsequent release and had to be re-introduced
  • Hackers found a workaround in the original patch requiring a better patch
  • Apple forgot that they already fixed it and erroneously listed it in those documents

Doubt we’ll ever know.

1 Like

Security updates for (Mojave?) Safari and iPadOS 14.8 have been released.

There’s dropping critical security support for older releases, and then there’s not telling anyone about it:

I’ve no need to run Mojave myself, and my only Mac (besides my 12 inch PowerBook!) is an M1 Air so this does not affect me. But ultimately all Macs enter the twilight where it becomes unclear how safe they are to use online (and therefore much at all). Clarity would be better than silence.

To be fair, there are iOS devices that could not be upgraded beyond iOS 12. But every standard configuration Mac that could run Mojave could be updated to Catalina. Probably from Apple’s point of view, Mojave didn’t need security updates, because those systems can be upgraded to Catalina. And there are probably a lot more devices potentially stuck on iOS 12 than 2010-2012 Mac Pro systems with upgraded GPUs that could not go past Mojave.

It’d be nice if Apple kept supporting old OSes, but it’s pretty well established now that they support three years worth, and, even as somebody who likes to keep devices as long as possible, I’d rather they work on securing current OSes than spend time on legacy versions.

Perhaps. But Catalina is no ordinary point update: it terminates all 32 bit software support. Updating from Mojave can be immensely disruptive, as many of us remember ourselves.

I don’t expect software to be supported forever. My real concern is how Apple turns off vital security support without even telling the remaining users. Without researching online, you can’t tell your Mac is now wide open to actively exploited MacOS vulnerabilities. All Software Update will ever tell you is “Your Mac is up to date.” Which is a lie.

Out of interest, if I resorted to running Mojave in a virtual machine (eg Parallels) would it still be vulnerable to some security problems?

Some, yes. Many malware developers recently have had a habit of checking to see if they are in a VM which is a common way that security experts test for malware without causing damage to their main OS. If that type of malware detects that it’s running in a VM it will stop the infection and often delete itself in the process.

Additionally, if you’re running in a VM, you can selectively enable, disable hardware features (like networking interfaces).

Most malware these days spreads/operates via Internet connections. If the app you need the old OS for doesn’t require network connectivity to operate, you can disable the VM’s network interface (or disable networking in the guest OS). This alone will protect it quite a bit.

If you need network access for a specific activity (e.g. updating an app via the App Store), you can enable networking, perform your task, and then disable it again.

And, of course, you can (and should) run a firewall app in the VM (Apple’s Firewall and probably something like Little Snitch), cranked up to maximum security, so it only permits the specific connections you require and nothing else.

1 Like