Apple as many of you are aware released a number of software updates today. Specifically:
- watchOS 5.3.4
- watchOS 6.1.1
- macOS Catalina 10.15.2
- Security Update 2019-002 Mojave
- Security Update 2019-007 High Sierra
- tvOS 13.3
- iOS 12.4.4
- iOS 13.3
- iPadOS 13.3
- Safari 13.0.4
I spent part of my day reading through the security info of all these updates. That is something that I do as a matter of course because it helps me to judge if I need to install an update now or if it can wait a day two. And after reading through the security info, users of following OSes should update ASAP
- iOS 13
- iPadOS 13
- iOS 12
- macOS Catalina
- watchOS 5
- watchOS 6
The reason being is that all of these OSes share a FaceTime bug in common. Specifically this one (copied from this page related to watchOS 5.3.4):
FaceTime
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to a device with iOS 12 installed
Impact: Processing malicious video via FaceTime may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8830: Natalie Silvanovich of Google Project Zero
The key part is that this was reported by Google’s Project Zero team. Now Google Project Zero doesn’t report trivial bugs. They only report the most serious ones. Thus whatever this bug that allow “arbitrary code execution” from a malicious video via FaceTime has to be pretty serious. Which means that you by default must take it seriously because there’s a very good chance that if it isn’t already being exploited, it will be now.
As an aside, in case you are wondering why watchOS is on this list, the Apple Watch Walkie Talkie feature uses FaceTime audio, and it has historically been buggy.
Thus if I were you, I would set aside some time to update your Apple Watches, iPhones running iOS 12 or 13, and Macs running Catalina ASAP as there is likely a clear and present danger that you need to protect yourself from.
UPDATE: Macrumors is reporting that another serious flaw that is related to AirDrop on iOS has been fixed. That’s another reason to update ASAP. Strangely, this issue isn’t listed in the security info for iOS 13.3. Nor is it listed in the release notes for iOS 13.3. Strange.