Apple's Catalina Mac operating system upgrade has not been out for long but the company has already begun squashing bugs with a vengeance.
MacOS Catalina 10.15 was made available for download earlier this week, following the release of iOS 13 and iPadOS in September.
If your machine is able to run macOS 10.14 Mojave, it is compatible with Catalina, and models including the MacBook 2015, MacBook Air 2012, MacBook Pro 2012, Mac Mini 2012, iMac 2012, iMac Pro 2017, and Mac Pro 2013 or later are suitable for the upgrade.
With every new OS release, however, new vulnerabilities and bugs are inevitable.
On Tuesday, the iPad and iPhone maker rolled out a selection of patches to resolve vulnerabilities uncovered in Catalina 10.15.
The first issues of note are memory corruption bugs, CVE-2019-8748 and CVE-2019-8758, in AMD firmware and the Intel Graphics driver. These security flaws can be used to execute arbitrary code with kernel and system privileges, respectively.
Two macOS kernel-based bugs have also been squashed, both of which also relate to memory corruption. CVE-2019-8717 and CVE-2019-8781, if unpatched, can permit attackers to execute arbitrary code with kernel privileges.
An interesting logic vulnerability in IOGraphics, CVE-2019-8755, has also been fixed which permits malicious applications to analyze and potentially determine kernel memory layouts.
Another code execution flaw detected and resolved is CVE-2019-8745, a buffer overflow traced back to the UIFoundation component which could be triggered through malicious text files.
In WebKit, Apple's browser engine, both CVE-2019-8769 and CVE-2019-8768 have been resolved. The first vulnerability was present in how the OS drew webpage elements and could be abused by threat actors in the development of malicious websites designed to reveal a user's browsing history, whereas the second prevented users from deleting items from their browsing history logs at all.
The tech giant also destroyed a bug in PDFKit, caused by how the software handles links embedded within encrypted PDF files and which could be exploited for the exfiltration of content from the encrypted files. This bug has been assigned CVE-2019-8772.
In the Notes macOS software, CVE-2019-8730 caused some locked notes to appear in search results, and users with local access could potentially view private content. A memory corruption bug in the sips image processing system -- CVE-2019-8701 -- which could lead to the execution of arbitrary code with system privileges has also been patched.
Two issues in PHP functions -- CVE-2019-11041 and CVE-2019-11042 -- a memory corruption flaw in CoreAudio, CVE-2019-8705, and a race condition issue in Crash Reporter, tracked as CVE-2019-8757, have also been resolved. A security flaw in SharedFileList, CVE-2019-8770, is a problem that could allow malicious apps to access recent documents and has now been eradicated.
Apple has thanked researchers from Google Project Zero, Core Development, Computest, SentinelOne, and Trend Micro's Zero Day Initiative, alongside Csaba Fitzl, Piérre Reimertz, and Kent Zoya, among others, for assisting with and reporting the security issues.
Previous and related coverage
- macOS Catalina -- Should you upgrade now?
- Apple's worst product is still Apple's worst product
- RIP iTunes: Apple releases MacOS 10.15 Catalina
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0