Patch your Macs, people, and your Apple Watches and older iPhones, iPads and iPod Touches.
Apple yesterday (Sept. 26) released an emergency update for Macs to fix a flaw that would let a "remote attacker ... cause unexpected application termination or arbitrary code execution."
In plain English, that means a hacker could access your Mac from the internet and run malicious code or shut down legitimate applications. Needless to say, that is Very Bad.
Patches were also issued yesterday for watchOS (5.3.2)and iOS 12 (12.4.2) to fix the same flaw. New iPhones, iPads and iPods got the fix last week with the release of iOS 13, but many older iOS devices, such as the iPhone 5s, 6 and 6 Plus, have to stick with iOS 12.
The Mac patches are for the last three versions of macOS -- 10.14 Mojave, 10.13 High Sierra and 10.12 Sierra -- but you won't get a new version number for your build. Older, unsupported versions of macOS/OS X are likely affected as well. (If you're still running one of those, it's time to update.)
Clearing up a mystery
Apple isn't saying much more about the flaw, other than that it involves "an out-of-bounds read [that] was addressed with improved input validation," was discovered by Google Project Zero researchers Samuel Groß and Natalie Silvanovich, and was assigned the Common Vulnerability and Exposures (CVE) number CVE-2019-8641.
But it turns out the vulnerability goes back several months, and was left unresolved long after a similar slew of flaws was fixed.
This morning (Sept. 27), Sophos' Paul Ducklin connected the dots and figured out that this is the last of several mainly iOS flaws that Groß and Silvanovich revealed over the summer, and the only one of those flaws to remain unexplained and unpatched for nearly two months.
You may recall that there were a number of Apple Messages flaws revealed in late July, which Apple mostly remediated with iOS 12.4. Some of the flaws would have let hackers take over iPhones simply by sending a specially crafted message.
As is standard procedure, the Project Zero researchers explained exactly how the bugs worked after Apple issued iOS 12.4. But they held back information about one flaw because they felt iOS 12.4 didn't fully fix it.
"We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability," Silvanovich wrote on Twitter July 29.
The mystery flaw stayed unrevealed for two more months, even as Silvanovich and Groß took their research on the road and presented their findings at the Black Hat security conference in August, and as Apple updated iOS to version 12.4.1 and released a "supplemental" update to macOS Mojave 10.14.6.
Finally, full disclosure
Now that everything's really been fixed, the cat's out of the bag. Silvanovich quietly made public the details of CVE-2019-8641 on Monday (Sept. 23), after the release of iOS 13, in a Project Zero blog posting.
Her explanation of the vulnerability is beyond comprehension for anyone not well versed in the internal workings of iOS, but she noted that "this issue has not yet been fixed for Mac and iPad, but is now only a local vulnerability due to the change in 12.4.1."
Those local vulnerabilities, presumably, have now been addressed with the iOS 12.4.2 update and the macOS patches.
