Apple has released its May 2019 security updates, taking iOS to version 12.3 and macOS Mojave to version 10.14.5.
There are three elements to this month’s new software – new capabilities (which tend to get the most attention, and which we’ll ignore), a sizable pile of important security fixes, and a smattering of minor security tweaks.
One of the interesting things about Apple’s advisories is the large number of third-party researchers the company name checks.
That’s a positive – the more researchers combing for flaws, the fewer will be exploited and hurt people. What’s less clear without reading deeper into the CVEs (which aren’t always explanatory until user updating has occurred) is which ones are more serious.
This month iOS generated 42 CVEs, bulked by the number affecting WebKit, which amount to 20 in all.
The ones that jump out usually involve a vulnerability that might allow a remote attacker or local app to take control of the device at some level – like most of the WebKit flaws.
For example, CVE-2019-8585 in CoreAudio, which could give malware a route to compromise using a malicious movie file. That’s serious because it doesn’t appear it would necessarily require the victim to do anything.
A rung down from this are CVE-2019-8593 in AppleFileConduit, and CVE-2019-8605 in the kernel, either of which might allow an app to gain system privileges, or CVE-2019-8637 in AppleFileConduit, through which a “malicious application may be able to gain root privileges.” Those would require users to download malicious apps.
macOS Mojave 10.14.5
Excluding flaws common to both macOS (including macOS Sierra 10.12.6, macOS High Sierra 10.13.6) and iOS in things like WebKit, May’s update addresses around 20 CVEs.
This includes four in SQLite allowing privilege elevation or code execution and three kernel flaws. One that stands out is the flaw in EFI, CVE-2019-8634, through which “a user may be unexpectedly logged in to another user’s account.”
Beyond that, it’s mainly tweaks such as disabling accessories with insecure Bluetooth connections, and a fix for unlocking FileVault volumes that are having trouble resetting the user account password using a personal recovery key (PRK).
Safari, meanwhile, eases web login when using Password AutoFill, replaces the discredited Do Not Track cross-site tracking browser protection with Apple’s Intelligent Tracking Prevention, and disables web push notifications when the user has interacted with a website.
What to do?
To check you’re up to date:
- On an iPhone, go to Settings > General > Software Update.
- On a Mac, go to the Apple menu, choose About This Mac and click Software Update…
WhatsApp Messenger v2.19.134
Separately, readers should also update WhatsApp in the light of the news that it’s been compromised by spyware. It’s not an Apple flaw, but it is one that might require a manual update of the app to get the fix as soon as possible. That’s done by visiting the App Store, clicking on Updates and downloading the update for WhatsApp Messenger.