Amongst all the brouhaha about Log4Shell, it’s easy to forget all the other updates that surround us.
Not only is it Patch Tuesday (keep your eye on our sister site news.sophos.com for the latest on that score later in the day)…
…but it’s also time to check your Apple devices, because Apple just pushed out a slew of its they-arrive-when-they’re-ready-and-don’t-expect-any-warning security patches.
The updated versions you’re looking for are:
- macOS Monterey 12.1
- macOS Big Sur 11.6.2
- Security Update 2021-008 Catalina
- iOS 15.2 and iPadOS 15.2
- tvOS 15.2
- watchOS 8.3
As for iOS 14 and iOS 12, which are the official previous and pre-previous iPhone operating systems (in the same way that Big Sur and Catalina are the previous incarnations of macOS), there’s no sign of any updates for them.
Observant readers will notice that the URLs in the list above form an unbroken numeric sequence except for a gap at HT212977, so whether that’s a space left open for a delayed update for iOS 14 or not we can’t tell you…
…but we did notice that Apple’s main security noticeboard page, HT201222, still [2021-12-14T12:00Z] doesn’t mention the updates listed above.
In the past, we’ve noticed an apparent correlation between delayed updates for individual platforms and delayed listings on HT201222, but we have no idea whether that is coincidence rather that true correlation, or a desire on Apple’s part to hold off updating the central listing until all the new versions can be displayed in one go.
(Apple, as you know, has an official policy of saying as little as possible about updates and update cycles, so we shall have to wait and see.)
What about Log4Shell?
As you can imagine, given the timing of this update, our first thought was to jump straight to the bulletins above and search for CVE-2021-44228, better known as Log4Shell, to see if the cybersecurity crisis currently circulating the globe was behind these patches.
The good news, if you want to think of it that way, is that it isn’t: we didn’t see mention of the text CVE-2021-44228, Log4Shell or Log4j anywhere in any of the abovementioned bulletins.
The bad news, perhaps, is that there are plenty of other vulnerabilities that were patched by Apple.
The patches include many that don’t immediately sound as serious as Log4Shell (because they aren’t actively and aggressively being abused already), but that could in theory have been even worse (because they involve more serious side-effects, such as potential full kernel compromise).
The security fixes in this round of updates close off holes that include:
- Kernel-level remote code execution. Could lead to a complete jailbreak of device security.
- Tracking flaws. Could lead to you being tracked when you thought you couldn’t be.
- Malware detection bypassses. Could lead to Apple’s rudimentary built-in anti-virus allowing malware to sidestep its checks.
- Network traffic leakage. Could reveal network traffic to people who shouldn’t be able to see it.
- Memory leakage. Could spill secrets such as encryption keys, or leak memory addresses that help to bypass address space layout randomisation (ASLR).
- Elevation of privilege. Could let an otherwise innocent app escape from its security controls.
- Privacy bypasses. Could let other users read or modify content that should be off-limits.
What to do?
- On your iPhone or iPad: Settings > General > Software Update
- On your Mac: Apple menu > About this Mac > Software Update…
As for the infamous Log4Shell hole: yes, this bug can in thoery affect Macs, because the flaw exists in a Java programming library, and Java is a cross-platform environment that runs equally well on Windows, Linux, macOS, xBSD and many other operating systems.
On Macs and iDevices the risk is generally lower than on computers offering online services that are available to, and proddable by, millions of external users.
But if you want advice on how to hunt down applications that include the buggy Log4j library, please read our latest Log4Shell explainer-and-advice article:
4 comments on “Apple security updates are out – and not a Log4Shell mention in sight”
I had no clue how many of our servers had Log4Shell installed! Mitigation has been a bear. Thanks to your last article, though, I was able to inform a vendor how to search with both a PowerShell and *nix script on their own machines. The vendor wrote back and thanked me since they, too, found several devices with Log4Shell actively running. The good news with Apple is that our MDM server pushes out an update and then we’re good to go. If Apple devices were my only Log4Shell updates, I wouldn’t even break a sweat. Alas, I can’t even feel too productive updating iOS. Log4Shell thwarts me again!
Log4Shell is by all reports almost entirely a server vulnerability, so no real surprise not to see any changes related to it on any of the various Apple OS’s. There may be some third party client apps that rely on Java that could find their way to a Mac along with the common CryptoMiner malware that can be installed using the flaw, but those would likely be the target of XProtect and MRT updates to detect and eliminate such threats.
The problem with “almost entirely” is that even a small percentage of Apple’s user ecosystem is a lot of people. And I know of lots of Mac Minis in server roles… FWIW the macOS Server product is not only still going but was upgraded only this month.
Apple has a hard time cranking out security updates. Sometimes it seems like they only have one speed in handling them. I got the 12.1 Monterey upgrade on my M1 Mini and then experienced a total drop of connection from my Magic keyboard and Magic mouse 2 a day later with no ability to reconnect. Finally had to resort to connecting a wired mouse to reset the Bluetooth on the Mac Mini. First time I have had that sort of complete failure of Bluetooth on two devices no less at the same time! Beginning to wonder what happened to Apple’s attention to detail and almost flawless operation?? Are the developer teams just overwhelmed? I have had more issues with my M1 Mac then I ever did with my Power PC, or Intel Mac’s.