Month: March 2020

macOS Catalina 10.15.4 Update (19E266) is now Available.

10.15.4 is Catalina’s forth update, which is sometimes called the “Spring Release Update” is live!  MacOS Catalina 10.15.4 is now available for download as a full installer.app, delta and combo update. Let’s take a look at the Catalina 10.15.4 Update (19E266) to see what’s new.

UPDATED: 03/26/20

10.15.4 Patch Notes Summary

• 12 New Features
• 7 Resolved Issues
• 20 Security Fixes
• 7 Enterprise Content Fixes

Apple’s Public Patch Notes / Release Notes Documentation

NOTE: Apple Documentation takes a bit to come online, I will update when the articles are posted.

developer.apple.com/documentation/macos_release_notes

developer.apple.com/documentation/macos_release_notes/macos_catalina_10_15_4_release_notes

For more detailed information about this update and previous updates, please visit: https://support.apple.com/kb/HT210642

Previous 10.15 Releases + Previous Patch Notes

• 10.15.4 = (19E266) March 24th 2020 = Current Release
• 10.15.3 = (19D76) January 28th 2020
• 10.15.2 = (19C57) December 10th 2019
• 10.15.1 = (19B2106) November 13th 2019
• 10.15.1 = (19B88) October 29th 2019
• 10.15.0 = (19A603) October 21st 2019
• 10.15.0 = (19A602) October 15th 2019
• 10.15.0 = (19A583) October 7th 2019

Catalina 10.15.4 Info & Download Links

Delta Update

Link – https://support.apple.com/kb/DL2036

Size = 2.97gb

Product ID = 061-72538

Requirements = 10.15.3

Combo Update

Link – https://support.apple.com/kb/DL2037

Size = 4.68gb

Product ID = 061-72538

Requirements = 10.15.0, 10.15.1, 10.15.2 or 10.15.3

Full Installer.app

Link – Catalina 10.15.4 Mac App Store

Size = 8.73gb

Product ID = 041-40615

Requirements – 10.15 Catalina Requirements

T2 BridgeOS Update

T2 BridgeOS was updated along with the 10.15.4 update.

BridgeOS Update = 17.16.14263

Security Content for Safari 13.1

https://support.apple.com/en-us/HT211104

New Apple Support Documents

About legacy system extensions in macOS Catalina

https://support.apple.com/en-us/HT210999

Prepare your Apple devices for working remotely

Catalina 10.15.4 Update (19E266) Overview

macOS Catalina 10.15.4 introduces iCloud Drive folder sharing, Screen Time communication limits, Apple Music time-synced lyrics view, and more. The update also improves the stability, reliability, and security of your Mac. 

Finder

• iCloud Drive folder sharing from Finder
• Controls to limit access only to people you explicitly invite, or to grant access to anyone with the folder link
• Permissions to choose who can make changes and upload files, and who can only view and download files

Screen Time

• Communication limits for controlling who your children can communicate with and be contacted by throughout the day and during downtime
• Playback control of music videos for your children

Music

• Time-synced lyrics view for Apple Music, including the ability to jump to your favorite part of a song by clicking a line in lyrics view

Safari

• Option to import Chrome passwords into your iCloud Keychain for easy AutoFill of your passwords in Safari and across all your devices
• Controls for duplicating a tab and for closing all tabs to the right of the current tab
• HDR playback support on compatible computers for Netflix content

App Store with Apple Arcade

• Universal Purchase support enables the use of a singular purchase of a participating app across iPhone, iPod touch, iPad, Mac, and Apple TV

Pro Display XDR

• Customized reference modes that you can tailor to specific workflow needs by selecting from several color gamut, white point, luminance, and transfer function options

Accessibility

• Head pointer preference for moving a cursor on the screen based on the precise movements of your head

This update also includes bug fixes and other improvements:

• High Dynamic Range output to HDR10-compatible third-party displays and TVs connected with DisplayPort or HDMI
• OAuth authentication support with Outlook.com accounts for improved security
• CalDav migration support when upgrading to iCloud reminders on a secondary device 
• Addresses an issue where text copied between apps may appear invisible when Dark Mode is active
• Resolves an issue in Safari where a CAPTCHA tile may display incorrectly 
• Fixes an issue where you may receive notifications for updated or completed reminders
• Fixes an issue with screen brightness for the LG UltraFine 5K display after waking from sleep

Enterprise content:

• Apple Push Notification Service traffic now uses a web proxy when specified in a PAC file
• Resolves an issue where updating the login keychain password after resetting a user password would cause a new keychain to be created
• After enabling ”Search directory services for certificates” in Keychain Access preferences, searching by email address in Keychain Access or Mail now locates a user certificate stored in directory services
• When setting the DisableFDEAutoLogin key in com.apple.loginwindow, you can now sync your FileVault password with the Active Directory user password after updating the user password
• Reinstates the ability to update or restore iOS, iPadOS, or tvOS devices by dragging .ipsw files to the device in an Apple Configurator 2 window
• Addresses an issue where sending the EraseDevice MDM command might not cause the device to be erased
• When logging in as an Active Directory user after using deferred FileVault enablement, the user is now prompted for their password to enable FileVault

Some features may not be available for all regions, or on all Apple devices.

Security Content for 10.15.4

https://support.apple.com/en-us/HT211100

• NOTE: Listed below are only security fixes for 10.15, fixes for 10.13 and 10.14 are listed in my 2020-002 security update article.

   

  Apple HSSPI Support

  Available for: macOS Catalina 10.15.3

  Impact: An application may be able to execute arbitrary code with system privileges

  Description: A memory corruption issue was addressed with improved memory handling.

  CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team

  AppleGraphicsControl

  Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

  Impact: A malicious application may be able to execute arbitrary code with kernel privileges

  Description: Multiple memory corruption issues were addressed with improved state management.

  CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team

  AppleMobileFileIntegrity

  Available for: macOS Catalina 10.15.3

  Impact: An application may be able to use arbitrary entitlements

  Description: This issue was addressed with improved checks.

  CVE-2020-3883: Linus Henze (pinauten.de)

  Bluetooth

  Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

  Impact: A local user may be able to cause unexpected system termination or read kernel memory

  Description: An out-of-bounds read was addressed with improved input validation.

  CVE-2020-3907: Yu Wang of Didi Research America

  CVE-2020-3908: Yu Wang of Didi Research America

  CVE-2020-3912: Yu Wang of Didi Research America

  Bluetooth

  Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

  Impact: A malicious application may be able to execute arbitrary code with kernel privileges

  Description: A memory corruption issue was addressed with improved input validation.

  CVE-2020-3892: Yu Wang of Didi Research America

  CVE-2020-3893: Yu Wang of Didi Research America

  CVE-2020-3905: Yu Wang of Didi Research America

  Call History

  Available for: macOS Catalina 10.15.3

  Impact: A malicious application may be able to access a user’s call history

  Description: This issue was addressed with a new entitlement.

  CVE-2020-9776: Benjamin Randazzo (@____benjamin)

  CoreFoundation

  Available for: macOS Catalina 10.15.3

  Impact: A malicious application may be able to elevate privileges

  Description: A permissions issue existed. This issue was addressed with improved permission validation.

  CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

  FaceTime

  Available for: macOS Catalina 10.15.3

  Impact: A local user may be able to view sensitive user information

  Description: A logic issue was addressed with improved state management.

  CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion – Israel Institute of Technology

  Icons

  Available for: macOS Catalina 10.15.3

  Impact: A malicious application may be able to identify what other applications a user has installed

  Description: The issue was addressed with improved handling of icon caches.

  CVE-2020-9773: Chilik Tamir of Zimperium zLabs

  Intel Graphics Driver

  Available for: macOS Catalina 10.15.3

  Impact: A malicious application may disclose restricted memory

  Description: An information disclosure issue was addressed with improved state management.

  CVE-2019-14615: Wenjian HE of Hong Kong University of Science and Technology, Wei Zhang of Hong Kong University of Science and Technology, Sharad Sinha of Indian Institute of Technology Goa, and Sanjeev Das of University of North Carolina

  IOHIDFamily

  Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

  Impact: A malicious application may be able to execute arbitrary code with kernel privileges

  Description: A memory initialization issue was addressed with improved memory handling.

  CVE-2020-3919: an anonymous researcher

  Kernel

  Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

  Impact: An application may be able to read restricted memory

  Description: A memory initialization issue was addressed with improved memory handling.

  CVE-2020-3914: pattern-f (@pattern_F_) of WaCai

  Kernel

  Available for: macOS Catalina 10.15.3

  Impact: A malicious application may be able to execute arbitrary code with kernel privileges

  Description: Multiple memory corruption issues were addressed with improved state management.

  CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

  libxml2

  Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

  Impact: Multiple issues in libxml2

  Description: A buffer overflow was addressed with improved bounds checking.

  CVE-2020-3909: LGTM.com

  CVE-2020-3911: found by OSS-Fuzz

  libxml2

  Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

  Impact: Multiple issues in libxml2

  Description: A buffer overflow was addressed with improved size validation.

  CVE-2020-3910: LGTM.com

  Mail

  Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3

  Impact: A remote attacker may be able to cause arbitrary javascript code execution

  Description: An injection issue was addressed with improved validation.

  CVE-2020-3884: Apple

  sudo

  Available for: macOS Catalina 10.15.3

  Impact: An attacker may be able to run commands as a non-existent user

  Description: This issue was addressed by updating to sudo version 1.8.31.

  CVE-2019-19232

  TCC

  Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3

  Impact: A maliciously crafted application may be able to bypass code signing enforcement

  Description: A logic issue was addressed with improved restrictions.

  CVE-2020-3906: Patrick Wardle of Jamf

  Time Machine

  Available for: macOS Catalina 10.15.3

  Impact: A local user may be able to read arbitrary files

  Description: A logic issue was addressed with improved state management.

  CVE-2020-3889: Lasse Trolle Borup of Danish Cyber Defence

  Vim

  Available for: macOS Catalina 10.15.3

  Impact: Multiple issues in Vim

  Description: Multiple issues were addressed by updating to version 8.1.1850.

  CVE-2020-9769: Steve Hahn from LinkedIn

macOS Catalina 10.15.4 Update