Apple usually pushes out security updates for its various devices and software on the same day, but not this time.
The update also fixed:
- Five kernel vulnerabilities, some of which can be exploited by a malicious application to execute arbitrary code with kernel privileges
- An S/MIME issue that existed in the handling of encrypted email and resulted in the use of an incorrect certificate for encryption
- Another encryption issue with S/MIME credentials that could have allowed an attacker with a privileged network position to intercept mail.
After last week’s release of an out-of-cycle emergency fix for a critical macOS High Sierra bug that allowed easy root access, the macOS update released yesterday (December 6) carry fixes for 22 vulnerabilities.
Among these are all the aforementioned kernel and S/MIME issues (plus one additional kernel one), several code execution flaws in IOKit, IOAcceleratorFamily, and Intel Graphics Driver. The update also includes a permissions issue in the handling of screen sharing sessions, which allowed a user with screen sharing access to access any file readable by root.
Security updates for iTunes and Safari have also been pushed out, but details about the patched bugs are yet to be released – and there’s no official explanation for the dalay.
The tvOS and watchOS updates were released on December 4 and 5, respectively, and contain the same fixes: for the aforementioned kernel bugs and a memory corruption issue in IOSurface, which could have allowed a malicious application to execute arbitrary code with kernel privileges.
As a side note: this latest watchOS upgrade also provides peer-to-peer payment capability through Apple Pay, but it will only work on Apple Watch when the wearable is paired with an iPhone running iOS 11.2.