macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina Fix Security Flaws

Originally published at: macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina Fix Security Flaws - TidBITS

Apple has updated macOS, iOS, iPadOS, and watchOS to fix two active vulnerabilities, one of which let attackers work around Apple’s BlastDoor protections.

2 Likes

And there’s a Safari 14.1.2 for Mojave. No sign of a security update for Mojave, but that might be still to come.

The Catalina update seemed to install fine for me (rebooting three times during the installation process).

The iOS update didn’t want to install over-the-air on my iPod Touch. The first time I tried, it said that download failed. The second time, it said “To download and install this software update, connect your iPod Touch to your computer”. So I had to install the update via USB. It seems to have installed fine, but it started nagging me about enabling Siri (I had previously turned it off) in order to “complete the installation”. So I turned it on and off again and it stopped complaining.

This update installed without incident on both my iPad 6th gen. and iPhone 12 Mini. Currently installing in an Apple Watch 4. So far, so good!

Thank you Josh!

I have posted this to my FB wall for all of my clients.

1 Like

iPhone says it needs a Wi-Fi connection. Except I’m traveling and the current Wi-Fi is one of those flaky insecure ones that you put the password in with a browser.

I understand completely. System updates are big - you generally don’t want to blow through your mobile data allowance for this.

Yes, I’m aware that you may have an unlimited plan, but even then there are often caps and you don’t want to end up rate-limited for the rest of the month if you go over.

As for using hotel wi-fi, a flaky connection can make the experience frustrating. I wouldn’t worry about security, since Apple uses HTTPS and signs their firmware installers.

If you need to wait a few days until you get home, I personally wouldn’t see a problem with it. If you’re concerned, just make sure to not open any downloaded PDFs on your phone until you get home. In my case, I don’t open very many, and they are almost always my own files that I’m downloading from my own Google Drive.

1 Like

I just looked on my Update preferences, and yes, it says that 14.1.2 is available. I remember installing that a while ago with the last Security Update (2021-005), and when I look at “About Safari” it says: Version 14.1.2, and Finder Info for the Safari app also says Version 14.1.2.


See screen cap.

So should I click on “Install Now” and reinstall it?

I installed it and things seem fine, and About Safari says 14.1.2 (14611.3.10.1.7), so a (very!) slight bump in build number. So if you install it, it will be an update, not a reinstall.

Upgraded my devices (MBP16, iPhone 12 ProMax, iPad 12.9 2020, Watch 6 44mm SS) to said OS versions. Everything works fine.

I have 14.1.2 (14611.3.10.1.6) on my i9 MBP16.

FWIW, Catalina (2018 Mac mini), reports version 14.1.2 (15611.3.10.1.7, 15611).

Clearly, the first two digits of the build number are the corresponding macOS version number. The rest is the same as what @blm reported.

It turns out that the CoreGraphics vulnerability fixed in these updates is being used by NSO Group’s Pegasus spyware to enable a zero-click exploit. In other words, a Pegasus customer (a government, theoretically) can take over an iPhone merely by sending it an image.

In other words, update your Apple devices right away.

That’s not to say that anyone reading this is likely at risk. As Apple’s head of security engineering told the New York Times:

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals.”

So unless you are personally of interest to a hostile government, there probably isn’t much to worry about.

My concern would be that now that the vulnerability has been fixed, it could be resold to lower-level criminals who would be happy to use it in a less targeted fashion against those who haven’t updated.

3 Likes

Well… My only guess is that they have somewhat different releases for specific mac models depending on specific hardware configs. It’s the last and most insignificant number, but mine still shows a .6 where yours shows .7.

At least according to the NBC & CBS national news on Monday night. I wonder if Apple will cover this tomorrow during the iPhone event.

1 Like

According to what I just looked up, this is the same Pegasus exploit that has been used by nation states against various people for quite some time.

The big news is that someone appears to have delivered a copy to Apple, so now it will be possible for them to fix it (assuming it wasn’t the fix that just shipped today).

So it sounds like good news to me.

1 Like

That’s what today’s system and security updates are about.

2 Likes

OK, well I can’t use any of those so it is moot for me. Fortunately I very seldom use iMessage - probably have used it less than a couple of dozen times in the last 10 years.

I’ve tried for a couple of days now to get the 11.6 to install in my iMac. I’ve restarted, closed all apps with just the software update. It gets to 10 minutes left and then doesn’t continue. Left it on overnight, and no update. Hoping the members here can provide a guide as it is a security update.

Is that completely true, or does the iPhone user need to display the image?