Second macOS 10.14.6 Supplemental Update plugs malware hole
Apple has released a second "Supplemental Update" for macOS Mojave 10.14.6, along with security updates for High Sierra and Sierra, one which fixes a flaw found by Google that could be abused by malware as part of an attack.
Released on Thursday, "Supplemental Update 2," is described in the Software Update utility of macOS as "recommended for all users and improves the security of macOS." The update itself weighs in at 1.25 gigabytes, making it a relatively hefty update.
The update also includes links to the security content page, which advises the update fixes one bug. According to Apple, "a remote attacker may be able to cause unexpected application termination or arbitrary code execution" in unpatched Macs, with the update's affects being "an out-of-bounds read was addressed with improved input validation."
The issue is listed as CVE-2019-8641, and is credited to Samuel Gross and Natalie Silvanovich of Google Project Zero, the search company's security team working to uncover exploits and flaws in operating systems and software.
The bug is actually part of a batch of issues revealed by the team in July which disclosed five of six security bugs within iOS that could have allowed an attacker to affect a target user's device via iMessage. The CVE number in question was for the sixth bug that was not revealed at the time.
The first Supplemental Update for macOS Mojave 10.14.6 was released on August 1.
Released on Thursday, "Supplemental Update 2," is described in the Software Update utility of macOS as "recommended for all users and improves the security of macOS." The update itself weighs in at 1.25 gigabytes, making it a relatively hefty update.
The update also includes links to the security content page, which advises the update fixes one bug. According to Apple, "a remote attacker may be able to cause unexpected application termination or arbitrary code execution" in unpatched Macs, with the update's affects being "an out-of-bounds read was addressed with improved input validation."
The issue is listed as CVE-2019-8641, and is credited to Samuel Gross and Natalie Silvanovich of Google Project Zero, the search company's security team working to uncover exploits and flaws in operating systems and software.
The bug is actually part of a batch of issues revealed by the team in July which disclosed five of six security bugs within iOS that could have allowed an attacker to affect a target user's device via iMessage. The CVE number in question was for the sixth bug that was not revealed at the time.
The first Supplemental Update for macOS Mojave 10.14.6 was released on August 1.
Comments
It is puzzling how they decide what is a "minor" update and what is a "supplemental" update. Maybe it's too small to qualify as a version bump. Not small in seriousness, but changed files.