macOS security patches, bug fixes, etc.

Apple posted macOS 10.15.5 today to patch a bunch of big security holes, plus patch updates for the two previous macOS versions it supports. (Apple no longer supports macOS 10.12 or any earlier versions.)

macOS 10.15.5 also adds features, including “battery health management”, plus a bunch of bug fixes, including kernel panics with RAID volumes, GPU-related freezes, sleep/wake bugs, authentication issues, T2 sound bugs, notification badge bugs, and more.

macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

  • Processing a maliciously crafted image, audio file, or PDF file may lead to arbitrary code execution
  • A remote attacker may be able to cause arbitrary code execution
  • An application may be able to execute arbitrary code with kernel privileges
  • malicious application may be able to gain root privileges
  • Importing a maliciously crafted calendar invitation may exfiltrate user information
  • A remote attacker may be able to leak sensitive user information
  • A malicious website may be able to exfiltrate autofilled data in Safari
  • A malicious application may be able to bypass Privacy preferences
  • A malicious application may be able to break out of its sandbox
  • A file may be incorrectly rendered to execute JavaScript
  • Inserting a USB device that sends invalid messages may cause a kernel panic
  • [etc.]

Adobe Acrobat/Reader security flaws critical

Critical security flaws in Adobe Acrobat Reader and Adobe Acrobat allow takeover of a victim’s Mac with all-powerful “root” priviliges. Adobe issued patches for this and also for security flaws in Adobe’s DNG SDK software. See MacInTouch discussions for important details about prerequisites for Adobe’s patches.

Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently
Today, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities (CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) I reported. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS (with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware. In this blog, I will analyze the details of vulnerabilities and show how to exploit them.

Adobe Acrobat and Reader | APSB20-24
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution

Adobe DNG SDK | APSB20-26
Adobe has released an update for the Adobe DNG Software Development Kit (SDK) for Windows and macOS. This update resolves multiple Heap Overflow and Out-of-Bounds Read vulnerabilities that could lead to  Remote Code Execution and Information Disclosure respectively.

iOS Mail actively exploited

Apple’s iOS devices are being actively, remotely hacked via unpatched zero-click email attacks on Apple’s Mail app. Really (extremely) not good…

You’ve Got (0-click) Mail! Unassisted iOS Attacks via MobileMail/Maild in the Wild

  • The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
  • The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
  • The heap overflow vulnerability is exploited in the wild
  • The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
  • We are not dismissing the possibility that the attackers deleted any remaining emails following a successful attack
  • Attack on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
  • Attack on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
  • Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
  • The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released

Flaw in iPhone, iPads may have allowed hackers to steal data for years
An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

Microsoft security patches

Microsoft posted patches for more than a hundred security flaws in its products today, including critical and zero-day vulnerabilities in Windows, as well as dangerous remote code execution vulnerabilities affecting Office for Mac, as well.  Bleeping Computer summarized the situation with links to CVE descriptions of the flaws and updates, including the following, among others:

Microsoft April 2020 Patch Tuesday fixes 3 zero-days, 15 critical flaws

CVE-2020-0980 | Microsoft Word Remote Code Execution Vulnerability
An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

CVE-2020-0919 | Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Remote Desktop App for Mac in the way it allows an attacker to load unsigned binaries. An attacker could then install programs; view, change, or delete data with the logged in user’s privileges. To exploit this vulnerability, an attacker would have to first get access to the victim’s system.

CVE-2020-0984 | Microsoft (MAU) Office Elevation of Privilege Vulnerability
An attacker who successfully exploited the vulnerability who already has the ability to execute code on a system could elevate privileges.

CVE-2020-1019 | Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in RMS Sharing App for Mac in the way it allows an attacker to load unsigned binaries. An attacker could then install programs; view, change, or delete data with the logged in user’s privileges. To exploit this vulnerability, an attacker would first have to get access to the victim’s system.

macOS 10.15.4 Supplemental Update (warning!)

macOS Catalina 10.15.4 Supplemental Update patches some blatent bugs and undisclosed security flaws in Apple’s recently released update for its flagship Mac operating system, although it’s not clear that major crashing bugs have been fixed yet.

Warning: Some people are now reporting that the update “bricks” their Macs, rendering them completely unusable, as documented by multiple people in a MacRumors forum.

I attempted to install the update but about halfway through my computer shutdown and it bricked my 2018 13 inch MacBook. No power, no fans coming on and off or anything when pressing and holding the power button. It was plugged and fully charged while updating. Anyone else having this problem? Also attempted to do a SMC reset to no avail still won’t turn on. I am sending it in for repair. I would hold off updating unless you want to risk losing your computer for a week.

An Apple support article describes procedures for recovering from certain firmware failures at the cost of destroying all files on the internal drive. It requires another Mac, a suitable cable, and special software.

Revive or restore Mac firmware in Apple Configurator 2
If any of the following occurs, you must restore both the T2 chip firmware and erase the internal flash storage:

  • You can’t start the Mac from the startup volume or the recoveryOS
  • Internet recoveryOS was unsuccessful
  • Reviving the firmware was unsuccessful

WARNING: Back up your data before you restore the firmware on your Mac. When you restore the firmware on a Mac that contains an Apple T2 Security Chip, you are restoring the firmware on the T2 chip and on any volumes on your internal SSD storage. When this process is complete, any data on any SSD volumes is unrecoverable.

Firefox: critical security patch (74.0.1)

Firefox 74.0.1 brings critical security patches with “targeted attacks in the wild abusing this flaw.”

Firefox is the free, cross-platform web browser from Mozilla, promising better privacy than Google’s Chrome and offering an appealing, open-source alternative to Apple’s Safari.

Firefox 74.0.1 is a free download for OS X 10.9 and up, plus Linux, and Windows.

Firefox ESR 68.6.1esr (see security notes and downloads) adds the critical security fix to the Extended Support Release family for OS X 10.9 or later, Linux, or Windows. A Firefox FTP server includes all the various versions for downloading.

Firefox Quantum Developer Edition is an alternate version for desktop systems that incorporates tools such as editors, debuggers and responsive design views.

Firefox Quantum for Enterprise is a version that lets people set up policies (e.g. proxy, restrict features) with Group Policy on Windows and a JSON file on Mac and Linux.

Firefox for iOS 24.1 is a free mobile version for iOS 11 and up, with automatic search suggestions, a private browsing mode, tracking protection and Siri Shortcut support for iOS 12.

Coronavirus

I continue to update the Coronavirus (COVID-19) information page frequently with the most important and helpful information I can find from a wide range of sources about this life-changing global catastrophe.

https://macintouch.com/coronavirus/

Recent additions include the clearest explanation of the situation I have seen yet, plus a guide to “living with worry“, online self-triage tools, lost smell/taste, infections in Congress, a survey of treatments in development, an FBI alert, an animated model of viral spread and more. (With JavaScript help from Sam Herschbein, I also redesigned the Updates section of the web page to select and display items for a chosen day, while other people have contributed good tips and conversation, too.)

I hope this resource (and all the work it involves) is helpful in these troubled times.

Ric Ford

Adobe security flaws critical

Adobe posted its latest batch of patches for critical security flaws in its various products:

Adobe Acrobat and Reader | APSB20-13
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution

Adobe Photoshop | APSB20-14
Adobe has released updates for Photoshop for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution

Adobe Bridge | APSB20-17
Adobe has released a security update for Adobe Bridge. This update addresses multiple critical vulnerabilities that could lead to arbitrary code execution

Adobe ColdFusion | APSB20-16
Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple critical vulnerabilities that could lead to arbitrary code execution.

Adobe Experience Manager | APSB20-15
Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve a vulnerability in AEM versions 6.5 and below rated Important. Successful exploitation could result in sensitive information disclosure.

Coronavirus Disease 2019 (COVID-19)

The COVID-19 pandemic is a life-changing global crisis that has already killed thousands of people, overwhelmed medical systems and devasted daily life for entire populations along with crippling businesses and the global economy. Yet it has barely begun, and it will explode in the weeks and months ahead with untold consequences (barring a miracle, and I don’t see any signs of one).

MacInTouch will be affected, too.  Expect interruptions and delays at a minimum, and we’ll see what happens over time. I don’t anticipate changing the focus of the website, but I have collected useful, reliable information after seeing deadly misinformation promulgated by politicians, their media and irresponsible individuals inside and outside the USA, while family and community members have been confused and lacking critical facts.

Taking precedence over the usual MacInTouch topics at the moment, because this is infinitely more important, I have posted that collection and am updating it frequently: https://macintouch.com/coronavirus/

Ric Ford

Google Chrome/Chromium exploit

A Google Chrome security flaw has an exploit available “in the wild”, and Google  issued an update that should be applied immediately. The Chromium browser is also affected and also needs the update (see FreeSMUG and SourceForge). The patches are not available yet for iOS, Android or Chromebooks, and other browsers may also be affected (e.g. Microsoft Edge, Brave, etc.).

Chrome Releases, Monday, February 24, 2020
The stable channel has been updated to 80.0.3987.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. … This update includes 3 security fixes. … Google is aware of reports that an exploit for CVE-2020-6418 exists in the wild.

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks
… The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities — CVE-2020-6407 and CVE-2020-6418 — were identified by experts from the Google security team. … A successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system.

Google patches Chrome zero-day under active attacks
… Patches for this zero-day have been released part of Chrome version 80.0.3987.122. The update is available for Windows, Mac, and Linux users, but not Chrome OS, iOS, and Android.

Google patches holes in Chrome – exploit already out there for one of them after duo spot code fix
… Kurucsai and Rao developed proof-of-concept exploit code for CVE-2020-6418 after spotting the fix buried in the source tree, and before Google could emit an official binary release. The duo have now shared their exploit code which can be used by white and black hats to target those slow to patch.

Adobe critical security flaws

Adobe issued its latest batch of patches for critical security flaws across its product portfolio:

We strongly recommend removing Adobe Flash from your systems because of its security flaws and exploitation, and Adobe has announced its termination.