by Paul Ducklin Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes. Confusingly, some of these updates
Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.
Confusingly, some of these updates have been available for several days already – the most recent version of iOS is 13.5, and it was officially announced on Apple’s main Security update page on 20 May 2020.
In fact, the updates listed for iOS and watchOS are still flagged [2020-05-27T12:00Z] with the words “details available soon“, even though Apple’s Security Advisories have full details.
And Apple’s updates for its non-mobile software products are covered in detail in the Advisory emails, but are not yet mentioned at all on the HT201222 security page.
For completeness, the updates are numbered
APPLE-SA-2020-05-25-11, and cover:
iOS 13.5 and iPadOS 13.5 iOS 12.4.7 macOS Catalina 10.15.5 Security Update 2020-003 for Mojave and High Sierra tvOS 13.4.5 watchOS 6.2.5 watchOS 5.3.7 Safari 13.1.1 (this update is built in to the Catalina fix) iTunes 12.10.7 for Windows iCloud for Windows 11.2 icloud for Windows 7.19 Windows Migration Assistant 18.104.22.168
The bug fixed in Windows Migration Assistant seems to be a DLL loading flaw that affects the Windows version of the software – an app that might, ironically, be the last Windows program you ever need to run.
Note that DLL loading errors generally don’t allow attackers to perform what’s called remote code execution (RCE), but merely to trick you into using a legitimate program to load up an untrusted component that’s has already been downloaded locally onto your computer.
So crooks may be able to use this sort of bug to finish off an attack (or to make an existing intrusion worse), but not to break in to start with.
What was fixed?
We counted 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.
We shan’t go over every one of them here, but we’ll note that 11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.
This is a reminder that vulnerabilities in cross-platform programming libraries may require vendors to put out updates for all the platforms on which that library is used.
Bugs such as buffer overflows and use-after-free errors can’t always be exploited on every platform, and even if they can, each variant of the exploit might need a lengthy phase of experimentation all of its own.
Nevertheless, where there’s a memory mismanagement flaw that can be triggered by remotely-supplied content, it’s wise to assume that if exploitation is possible on one platform, it can probably be figured out for other platforms, too.
For each patched bug, Apple lists its possible impact, so we filtered all the
Impact: lines out of the 11 different advisories to give you an idea of the range of different issues fixed, which came to 41 in all.
We’ve shortened some of the lines slightly to make them easier to read, but the variety of bugs fixed in this round of patches is clear:
What does this mean?
The silver lining here is that the length of the list and the variety of bugs shown above isn’t a sign of security weakness.
It’s tempting to look at a list like the one above, or the list of 114 vulnerabilities fixed by Microsoft in this month’s Patch Tuesday, as a sign that things are getting worse.
But by that argument, a company that never puts out updates at all and thus keeps its vulnerability count at zero, would come out as perfectly secure, even though it’s likely that such a company isn’t finding bugs because it carefully isn’t looking, rather than because it’s looking carefully.
Instead, you can see the breadth and depth of today’s “here’s what we just patched” lists as a sign of cybersecurity maturity and of ever-increasing attention to detail.
That’s because bugs don’t go as far as they used to for attackers, who often need to combine multiple flaws in order to pull off remote code execution exploits.
For example, bugs that can reliably crash apps with remotely supplied data often can’t easily be “weaponised”, or used to cause a crash that ends reliably in code execution.
Attackers may need to use a memory disclosure bug first, to figure out what programs are loaded where, without which their later attempt to exploit a code execution bug might crash completely instead of taking over control.
And attackers might need to mix a privilege elevation bug in there too, or a sandbox escape, otherwise they might end up with an attack that is so constrained in what it can see and do that they might as well not have bothered.
So the days of occasional patches only for the most serious bugs labelled “remote code execution” are over.
What to do?
Regular patching of all reported issues, even those that sound unimportant on their own, is a must…
…so we are going to say what we’ve always done, and that is, “Patch early, patch often.”
Even if you have set your Mac or your iDevice to update automatically, make a point of checking regularly that you really are up to date:
- On a Mac, go to System Preferences > Software Update.
- On an iPhone or iPad, go to System > General > Software Update.