38 comments

[ 5.0 ms ] story [ 85.0 ms ] thread
The Apple product security team just submitted this to the Full Disclosure mailing list[0]. There's a Python arbitrary remote code execution flaw addressed in this update (CVE-2020-9793). The same flaw is present in iOS as well[1][2].

[0]: http://seclists.org/fulldisclosure/2020/May/53

[1]: http://seclists.org/fulldisclosure/2020/May/49

[2]: https://support.apple.com/en-us/HT211168

The Python vulnerability has been removed from the iOS vulnerability list on Apple Support... iOS does not ship Python, so it was likely included by mistake.
Ah, it has! That explains my confusion about why Python is even present on iOS.

There's still a good meat of interesting vulnerabilities here, but many of the interesting ones have hidden details for now. I'm looking forward to when the full CVEs come out.

Yes. There was also a Zsh vulnerability mistakenly included in the iOS list.
Is this a normal disclosure? I just purchased a Mac but the list of potential kernel exploits seems much higher than I would expect in a point release.
yeah, apples software has the same flaws as everybody elses ( especially safari )
Apple has as many kernel exploits as any other, software is not perfect. macOS has a long history of many many security patches in point releases, sometimes the release notes run into the tens of pages.

The point of view you should take is that the company that doesn't issue security fixes (or issues very few comparatively) is the one you should be worried about: They are not better, they just don't fix anything and leave you vulnerable instead.

I haven't used Windows since I needed it for obscure engineering software in college, but I did find that the frequency of security updates combined with Windows reputation made me feel more uneasy rather than positive.

I felt less like "Oh good they're being proactive" and more like "Do they introduce 3 vulnerabilities for every one they fix?"

Bit the bonus is microsoft is patching these vulnerabilites at best every two weeks. For macos you have to wait for the next minor release which may take a lot longer.
Apple has shipped out-of-band security updates quickly — they must have an internal process for weighing severity versus the user fatigue from shipping frequent updates.
At least you know about them. The worst are those vendors who require a serious consulation payment (5 figure+ contracts) just for them to show you the security advisory and then at the end they say "there is no patch yet"
This is just my personal take, but what I think is happening is that recent advances in guided fuzzing have made C code (basically all C code) much more toxic and vulnerable than we thought.

So, like, have Apple been introducing new vulnerabilities at an alarming rate recently? I doubt it. Is their entire kernel and userspace security ecosystem built on quicksand, just like everyone else's? Pretty much yup.

I've noticed that Apple has started releasing Darwin sources more often. This is a really huge improvement for security research, since it lets outside researchers see the mitigations and fixes that Apple made to kernel security vulnerabilities quicker. This way, incomplete or otherwise incorrect fixes can be reported to Apple before that kernel version has been in the wild for a long time.
As someone who maintains mirrors of Apple's open source releases: eh. They had a week a couple months back where they deleted the download links for every old version of XNU; they've been OK for the last few weeks on opensource.apple.com itself but opensource.apple.com/tarballs has been slow to update for all projects (I even sent them an email about it!) And it's important to note that a lot of the actual security features that the system relies on (such as much of the sandboxing code) is not included in the open source release at all.
Sorry to hijack but would you know a way to run Darwin from sources as an OS for testing Mac builds (backend and command-line apps without GUI)? Clang and/or gcc would be a plus to have. I've looked at the PureDarwin project but that doesn't seem to provide anything I could use. Apple's update treadmill, notarization, SIP, and other tightening makes Mac OS an increasingly annoying and expensive/time-consuming platform to port software to.
I'm afraid not. I haven't seen anything other than PureDarwin that runs at all modern versions of Darwin. A Hackintosh on a relatively basic system (integrated graphics, nothing strange that isn't in an actual Mac) might be the easiest way for you to do this, although you'll still have to deal with the other things you mentioned.
It's not quite what you asked for, but have you tried Darling? If your app is simple enough it might work there. (Compiling Darwin from source is fairly involved, and I'll have to find the Apple engineer who posts instructions on how to build it these days…)
Thanks, didn't know about that project! I guess this isn't designed to run Mac OS's libc and userspace in a bug-for-bug compatible fashion though and thus wouldn't provide any more info about unique porting issues on Mac OS on top of what's already revealed by cross-compiling.
I am unsure if the XNU you can build from public sources can support the userspace the extent necessary to run all those tools. Honestly, I would probably suggest using a Hackintosh as it'd be significantly less work for a higher-fidelity result…
Yeah, thanks, we do have Apple hardware. It's about CI and build automation (or the lack thereof on Mac OS). For example, we can't re-image /reset a Mac into a pristine state easily after manually switching of SIP for CI, but must still end-user test the final product, can't justify the effort to adapt to yearly updates for relatively niche target, can't reasonably save working XCode setups, must test things on current Safari (so have a clean/up-to-date Apple machine around), etc.
Still no news about the mail data losses since 10.15.0... Ah well.
i held off upgrading to catalina for as long as possible, due to the mail bug and other issues, like the removal of itunes, which broke all my applescripts.

alas, xcode is one of my bread-and-butter apps. recent versions require catalina, so i had to switch.

due to the mail data loss bug, i bought a third-party mail client. it's good to support small developers, i guess?

Run fsck on your disk. I had the same problem, digging into it I found APFS had hopelessly corrupted my disk, its snapshots, and the time machine backups. In the process I not only lost mail and other files, but I had unexpected app crashes and casual kernel panics. Once I found the corrupted files I had to log in into single user mode to remove them as I couldn’t even as root when logged as usual. Don’t forget to delete your APFS snapshots, if you don’t the problem will quietly sneak in again. After that you’re safe to make a new snapshot and a new backup.

Why didn’t Apple just give us ZFS instead of the shitshow APFS is?

Yep. Its why I haven't upgraded yet.
This seems like a very large release with lots of security fixes. Wonder if Apple is releasing the security fixes quickly enough after it is found and reported or are they batching these fixes into a larger and fewer release and in doing so are they putting users at risk unnecessarily for longer duration.
Does Catalina have more security issues? Or are we just talking about them more than before?
Just more talking. The kind of bugs and their number are not that far off from windows or linux systems.
If you are a Mojave user please exercise caution when installing Security Update 2020-003 for Mojave, which was released together with Catalina 10.15.5. This update annulled my user's password. I couldn't log back in again once the update was installed. I had to use the original administrator account of my macOS setup in order to reset the password.

While searching for information on the problem I came upon another Mojave user who experienced the same problem. Twice... https://forums.macrumors.com/threads/login-password-screws-u...

I wonder why patches for individual security updates are pushed out individually instead of following the hard release process? We moved away from that in the web / app space decades ago, it's hard to imagine saying "guys, we need to wait 3 months to fix an SQL injection vulnerability to avoid churn."

Also...Mac updates are theoretically 'automatically installed', but somehow I have to notice and update, enter my password, and agree to restart and occasionally terms of service for every update which feels clunky.