Toggle Dark Mode
It appears that most of today’s updates were released to patch a vulnerability for devices that don’t support Apple’s latest software. That’s just a theory, but it’s supported by the fact that the updates appear to be small and contain no user-facing features. Furthermore, the security notes for each of today’s updates list the same exact vulnerability.
Details on the security flaw itself are scarce, but Apple’s security notes say that it’s a problem with its Foundation developer framework and could allow a remote attacker to “cause unexpected application termination or arbitrary code execution.”
The flaw itself is listed as CVE-2019-8641. It was apparently discovered by Samuel Groß and Natalie Silvanovich of Google’s Project Zero team. The vulnerability appears to be reserved in the National Vulnerability Database, so no other details could be gleaned.
To fix it, Apple says it addressed an out-of-bounds read with improved input validation.
All of this suggests that the vulnerability itself is a fairly severe one, which is likely why Apple has fixed the flaw in updates for devices that don’t support iOS 13 or watchOS 6. It’s also probably why Apple decided to issue a Supplemental Update for Mojave rather than waiting for macOS Catalina.
iOS 12.4.2, for example, will support several devices that aren’t compatible with iOS 13 — such as the iPhone 6 lineup, the iPhone 5s, the first-ten iPad Air, and the second- and third-gen iPad mini, and the sixth-get iPod touch.
Similarly, watchOS 5.3.2 is compatible with the Apple Watch Series 1 and Apple Watch Series 2. Those devices aren’t yet supported by watchOS 6.
macOS Catalina, of course, isn’t available yet. That’s likely why Apple issued macOS Mojave 10.14.6 Supplemental Update 2, alongside security updates for High Sierra and Sierra for Macs that won’t support Catalina when it debuts.
The software updates should now be available over-the-air. While we don’t know the exact details, we recommend that you update to the latest available software with a fix for CVE-2019-8641 as soon as possible.