Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ Kernel Vulnerability Causes Apple to Update All Operating Systems Adam Engst If you've ever wondered if all of Apple's operating systems'macOS, iOS, iPadOS, watchOS, and tvOS'are really based on the same code, today's updates should show just how true that is. Apple just pushed out [1]macOS Catalina Supplemental Update (1.2 GB), [2]iOS 13.5.1 (77.7 MB) and iPadOS 13.5.1 (284.8 MB), [3]watchOS 6.2.6 (48 MB), and [4]tvOS 13.4.6, along with what we presume is an updated version of [5]Security Update 2020-03 for High Sierra. The only change listed for each of these releases is along the lines of 'This update provides important security updates and is recommended for all users.' The security note pages linked above all say, 'A memory consumption issue was addressed with improved memory handling,' and note that the fix addresses [6]CVE-2020-9859. Details of that vulnerability are still being held; perhaps they'll reveal more than 'An application may be able to execute arbitrary code with kernel privileges.' We suspect this vulnerability is an ugly one. Anything that could give apps the capability to execute code with kernel privileges is concerning'it could do anything it wanted on the device from installing a keylogger to surreptitiously recording the user to erasing all local storage. It's also possible that the vulnerability is fairly easily exploited, which would put hundreds of millions of Apple users at risk. [7]9to5Mac suggests that these releases are to address the vulnerability used in a new jailbreak for devices running iOS 13.5, given that Apple credits jailbreak maker unc0ver in the security notes. It's unclear why unc0ver would have reported the vulnerability it relied on for its jailbreak; perhaps the vulnerability was simply too dangerous given that it affects all of Apple's operating systems. Oddly, Security Update 2020-03 for macOS 10.14 Mojave was not mentioned in the macOS security notes. It seems strange that the bug could affect High Sierra and Catalina, but not the intervening Mojave. Perhaps a Mojave update is still coming, or maybe a fix that Apple put in place in Mojave was somehow reverted. While it's inconvenient for Apple to update all of its operating systems at once, the company deserves kudos for dropping everything during a particularly stressful time to fix this bug. We tend to recommend a conservative approach to updates, but given the likely severity of the vulnerability and its applicability to all of Apple's operating systems, we suggest that updating as soon as you can is the safest course of action. If you need a refresher on how to do that: * macOS: System Preferences > Software Update * iOS and iPadOS: Settings > General > Software Update * watchOS: Watch app > General > Software Update * tvOS: Settings > System > Software Updates > Update Software References Visible links 1. https://support.apple.com/en-us/HT211215 2. https://support.apple.com/en-us/HT211214 3. https://support.apple.com/en-us/HT211217 4. https://support.apple.com/en-us/HT211216 5. https://support.apple.com/en-us/HT211215 6. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9859 7. https://9to5mac.com/2020/06/01/apple-confirms-ios-13-5-1-security-update-patches-vulnerability-breaking-unc0ver-jailbreak/ Hidden links: 8. https://tidbits.com/wp/../uploads/2020/06/iOS-and-watchOS-security-updates.jpg .