Apple security updates

Apple posted unexpected security updates today for its Mac, mobile and media platforms just a week after its last batch of critical security patches, apparently this time looking to shut down the unc0ver jailbreak.

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-9859: unc0ver

Apple also modified the macOS 10.15.5 update packages it had posted last week on its Downloads page (which is often out of date and misleading but has been updated).

Apple additional security patches

In addition to a big batch of macOS security and bug fixes, Apple issued security patches for its Safari web browser (for macOS 10.13 and later), plus Apple Windows software, as well as tvOS and delayed notes about recent iOS and watchOS security patches.

macOS security patches, bug fixes, etc.

Apple posted macOS 10.15.5 today to patch a bunch of big security holes, plus patch updates for the two previous macOS versions it supports. (Apple no longer supports macOS 10.12 or any earlier versions.)

macOS 10.15.5 also adds features, including “battery health management”, plus a bunch of bug fixes, including kernel panics with RAID volumes, GPU-related freezes, sleep/wake bugs, authentication issues, T2 sound bugs, notification badge bugs, and more.

macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

  • Processing a maliciously crafted image, audio file, or PDF file may lead to arbitrary code execution
  • A remote attacker may be able to cause arbitrary code execution
  • An application may be able to execute arbitrary code with kernel privileges
  • malicious application may be able to gain root privileges
  • Importing a maliciously crafted calendar invitation may exfiltrate user information
  • A remote attacker may be able to leak sensitive user information
  • A malicious website may be able to exfiltrate autofilled data in Safari
  • A malicious application may be able to bypass Privacy preferences
  • A malicious application may be able to break out of its sandbox
  • A file may be incorrectly rendered to execute JavaScript
  • Inserting a USB device that sends invalid messages may cause a kernel panic
  • [etc.]

Xcode update

Xcode is Apple’s software development platform for building macOS, iOS, Apple TV and Apple Watch apps. A new version, released today, patches a security hole and other bugs, and adds support for Apple’s latest OS updates.

Xcode 11.5 is a free download that requires macOS 10.15 Catalina. An Apple ID is required for testing apps on an iOS device. An Apple Developer account is required to submit apps to Apple’s App Store. Continue reading “Xcode update”

FileMaker 19

Claris FileMaker Pro 19 was announced today, the latest step in Apple’s many transformations of database management software originally acquired many years ago from Nashoba Systems. Apple now licenses the software almost entirely on a subscription basis under a subsidiary it calls “Claris”, recycling a name from an earlier era with entirely different products.

FileMaker Pro 19 touts “AI via Apple’s Core ML” to “unlock the potential of data with image classification, sentiment analysis, object detection and more.” Also new is the integration of JavaScript with code libraries and web services “to directly embed maps, animated graphics, data visualization, and more.”

Apple/Claris also says that FileMaker Pro 19 subscriptions are allowed to “create apps directly in the cloud with zero configuration and deployment.” Web publishing lets FileMaker subscribers connect to a server or cloud database via a web browser but is limited to the number of users allowed in the subscription (see below).

Features retained from previous versions include a friendly user interface; support for SQL data sources, JSON and cURL; an iOS client; and server options, but Apple has removed the ability to create standalone (“runtime”) databases. FileMaker documentation and release notes offer additional information.

FileMaker 19 is priced starting at $1,140/year for a 5-user cloud subscription that’s limited to hosting 3 “apps” with a limit of 2 GB of “outbound data transfer of FileMaker Data API/OData per user/per month”, and “medium compute” performance. System requirements specify macOS 10.14 or 10.15, Windows 8.1 or later, iOS 13.2 or later.  A 45-day trial is available in return for information about your company.

FileMaker Server “on premise” (non-cloud) versions are priced starting at $900/year with a limit of 5 users and 2 GB outbound data transfer per user per month. A FileMaker Server 19 “developer preview” supports CentOS 7.7, along with macOS and Windows.

Claris Connect, for workflow automation and third-party service integration, is priced starting at $99/user/month with a limit of 15 “active flows” and “10,000 API requests” per month.

A FileMaker Pro “individual” (non-cloud) license option has been marginalized but remains available at $540. (An upgrade from FileMaker Pro Advanced 16 or later is $197.)

Logic Pro X

Logic Pro X is Apple’s professional music production app, which includes multiple recording tracks with a mixer and automation and punch in/out; collections of instruments, effects and loops; pitch and tempo manipulation; iPad remote control; a score editor; MIDI support; virtual drummers; sampling; arpeggiation; a guitar/bass amp designer; Audio Unit plug-in support; XML import/export to Final Cut X; export to Sound Cloud; and more.

Logic Pro X 10.5 is priced at $199.99 and now requires macOS 10.14 or later. The latest release brings a number of new features, along with the latest batch of patches for crashing bugs. Apple is currently offering a free 90-day trial period in return for your name and email address.

Apple today unveiled a major update to Logic Pro X with a professional version of Live Loops, a completely redesigned sampling workflow, and new beat-making tools.

Apple revises 13-inch MacBook Pro

Apple today revised its 13-inch MacBook Pro, finally abandoning the defective “butterfly” keyboard design it has been using since 2016 in favor of a “Magic Keyboard” that should be a vast improvement.

Magic Keyboard features a redesigned scissor mechanism… while the new inverted-“T” arrangement for the arrow keys makes them easier to find [and it] also features a physical Escape key, along with Touch Bar and Touch ID…

Other upgrades for the upper-level model include 10th-generation Intel CPUs with more powerful integrated graphics that support Apple’s unique 6K Pro Display XDR.

The two-hole starter model gets the new keyboard and an internal SSD with at least 256 GB but continues with the old 8th-generation Core i5 CPU and slow 2133MHz memory, 8 GB standard with 16 GB as an optional upgrade at ordering time.

Storage goes as high as 4 TB on the upper-tier model for those who are willing to pay the price at the high end, and the pricier version also gets very fast 3733MHz LPDDR4X memory, 16 GB with 32 GB as an available upgrade at ordering time.

Available in silver or space gray color, Apple’s MacBook Pro 13″ starts at $1299 for the low-end, two-hole version with 256GB storage, 8GB 2133MHz RAM and 8th-generation 1.4GHz Intel Core i5 CPU. Deliveries are due to begin later this week.

The new 4-port MacBook Pro 13-inch starts at $1799 with 16GB 3733MHz RAM, 512GB SSD and 2.0GHz quad-core Intel Core i5.

Configured with 1TB SSD, 2.3GHz quad-core Intel Core i7 and 32GB RAM, the new MacBook Pro rises to $2599. Upgrading to 4TB storage boosts the price to $3599. Deliveries are set to begin next week.

The MacBook Pro now requires macOS 10.15 Catalina. No components can be upgraded (or replaced) after purchase.

iOS Mail actively exploited

Apple’s iOS devices are being actively, remotely hacked via unpatched zero-click email attacks on Apple’s Mail app. Really (extremely) not good…

You’ve Got (0-click) Mail! Unassisted iOS Attacks via MobileMail/Maild in the Wild

  • The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
  • The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
  • The heap overflow vulnerability is exploited in the wild
  • The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
  • We are not dismissing the possibility that the attackers deleted any remaining emails following a successful attack
  • Attack on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
  • Attack on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
  • Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
  • The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released

Flaw in iPhone, iPads may have allowed hackers to steal data for years
An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

iPhone SE “second-generation”

Today Apple recycled the name of its beloved, original, 4-inch iPhone SE for a larger, “second-generation” iPhone SE that uses an iPhone 8 enclosure (in red, white or black) with 4.7-inch (1334×750) screen and Home button while updating to the “A13 Bionic” processor of iPhone 11 models.

The 2020 iPhone SE reprises the iPhone 8’s camera, battery life, and water resistance but drops “3D Touch”, while the new A13 processor supports “Portrait Mode” and “Portrait Lighting” effects plus “extended dynamic range for video up to 30 fps.” Like the iPhone 8, the newest model can capture 4K video at 60 fps through its wide-angle (28mm equivalent) camera lens while adding “stereo” audio recording, but it lacks the audio jack of the original iPhone SE. New radio hardware brings WiFi 6 and 802.11ax support plus dual nano-SIM/eSIM capability. (See Apple’s comparison tool for more details.)

2020 iPhone SE pricing starts at $399 (plus tax, shipping, AppleCare, and phone service) with 64 GB of storage, $449 with 128 GB, or $549 with 256 GB. Pre-ordering starts this Friday for delivery around April 24. Apple no longer sells iPhone 8 models, leaving the iPhone 11 series and iPhone XR as its pricier alternatives to the new iPhone SE (though Apple’s refurb store currently offers some iPhone 8, iPhone X and iPhone XS models with discounted prices).

Magic Keyboard for iPad Pro

Apple announced today that it is taking orders for its new “Magic Keyboard for iPad Pro”, which includes a trackpad and “cantilevered” stand to create a laptop-like system, running iPadOS. The new device costs $299 for the $799+ iPad Pro 11-inch or $349 for the $999+ iPad Pro 12.9-inch.

macOS 10.15.4 Supplemental Update (warning!)

macOS Catalina 10.15.4 Supplemental Update patches some blatent bugs and undisclosed security flaws in Apple’s recently released update for its flagship Mac operating system, although it’s not clear that major crashing bugs have been fixed yet.

Warning: Some people are now reporting that the update “bricks” their Macs, rendering them completely unusable, as documented by multiple people in a MacRumors forum.

I attempted to install the update but about halfway through my computer shutdown and it bricked my 2018 13 inch MacBook. No power, no fans coming on and off or anything when pressing and holding the power button. It was plugged and fully charged while updating. Anyone else having this problem? Also attempted to do a SMC reset to no avail still won’t turn on. I am sending it in for repair. I would hold off updating unless you want to risk losing your computer for a week.

An Apple support article describes procedures for recovering from certain firmware failures at the cost of destroying all files on the internal drive. It requires another Mac, a suitable cable, and special software.

Revive or restore Mac firmware in Apple Configurator 2
If any of the following occurs, you must restore both the T2 chip firmware and erase the internal flash storage:

  • You can’t start the Mac from the startup volume or the recoveryOS
  • Internet recoveryOS was unsuccessful
  • Reviving the firmware was unsuccessful

WARNING: Back up your data before you restore the firmware on your Mac. When you restore the firmware on a Mac that contains an Apple T2 Security Chip, you are restoring the firmware on the T2 chip and on any volumes on your internal SSD storage. When this process is complete, any data on any SSD volumes is unrecoverable.

Apple COVID-19

Apple COVID-19 is a free iOS 13 app from Apple that combines a screening tool with simple information from the CDC about Coronavirus Disease 2019 (while also promoting Apple News).

Apple’s Coronavirus (COVID-19) website is essentially the same thing as the  app, with a screening tool and basic CDC information, but it omits the Apple News marketing.

The latest update adds two improvements:

  • Ability to select state of residence to see guidance from that state’s health department
  • Tips for keeping yourself and others physically and mentally healthy