You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, too

You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, too

Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can.


For Safari, there are nine CVE-listed patches in version 13.1.1. Six address malicious code execution (CVE-2020-9802, CVE-2020-9800, CVE-2020-9806, CVE-2020-9807, CVE-2020-9850, CVE-2020-9803) that can be achieved by opening a booby-trapped webpage or similar.


These were found separately by Samuel Groß of Google Project Zero; Brendan Draper working with Trend Micro's ZDI; Wen Xu of SSLab at Georgia Tech in the US; and a trio working together at SSLab. The vulnerabilities are present in the Webkit component of Safari.


The SSLab trio also found CVE-2020-9801 in Safari that can be exploited by malware already running on a Mac to force the browser to open another application. An anonymous researcher found CVE-2020-9805, and Ryan Pickren found CVE-2020-9843, both cross-site scripting holes in the software. Natalie Silvanovich of Google Project Zero found CVE-2019-20503, an information leak in the WebRTC component of Safari.


MacOS Catalina, aka version 10.15.5, meanwhile, features 46 security patches, also available to macOS Mojave (10.14) and High Sierra (10.13) users. Here are the highlights:


  • CVE-2020-9815 and CVE-2020-9791 found by Yu Zhou via Trend's ZDI: A specially crafted audio file can trigger malicious code execution when processed by the operating system, due to an out-of-bounds read bug, apparently.

  • CVE-2020-9816 found by Peter Nguyen Vu Hoang of STAR Labs via ZDI: Opening a booby-trapped PDF can trigger a crash or execution of malicious code, due to a out-of-bounds w ..