
About the security content of macOS Catalina 10.15.5 - vngzs
https://support.apple.com/en-us/HT211170
======
daneel_w
If you are a Mojave user please exercise caution when installing Security
Update 2020-003 for Mojave, which was released together with Catalina 10.15.5.
This update annulled my user's password. I couldn't log back in again once the
update was installed. I had to use the original administrator account of my
macOS setup in order to reset the password.

While searching for information on the problem I came upon another Mojave user
who experienced the same problem. Twice...
[https://forums.macrumors.com/threads/login-password-
screws-u...](https://forums.macrumors.com/threads/login-password-screws-up-
after-security-update-2020-002-and-2020-003.2227824/)

------
snazz
I've noticed that Apple has started releasing Darwin sources more often. This
is a really huge improvement for security research, since it lets outside
researchers see the mitigations and fixes that Apple made to kernel security
vulnerabilities quicker. This way, incomplete or otherwise incorrect fixes can
be reported to Apple before that kernel version has been in the wild for a
long time.

~~~
saagarjha
As someone who maintains mirrors of Apple's open source releases: eh. They had
a week a couple months back where they deleted the download links for every
old version of XNU; they've been OK for the last few weeks on
opensource.apple.com itself but opensource.apple.com/tarballs has been slow to
update for all projects (I even sent them an email about it!) And it's
important to note that a lot of the actual security features that the system
relies on (such as much of the sandboxing code) is not included in the open
source release at all.

~~~
tannhaeuser
Sorry to hijack but would you know a way to run Darwin from sources as an OS
for testing Mac builds (backend and command-line apps without GUI)? Clang
and/or gcc would be a plus to have. I've looked at the PureDarwin project but
that doesn't seem to provide anything I could use. Apple's update treadmill,
notarization, SIP, and other tightening makes Mac OS an increasingly annoying
and expensive/time-consuming platform to port software to.

~~~
saagarjha
It's not quite what you asked for, but have you tried Darling? If your app is
simple enough it might work there. (Compiling Darwin from source is fairly
involved, and I'll have to find the Apple engineer who posts instructions on
how to build it these days…)

~~~
tannhaeuser
Thanks, didn't know about that project! I guess this isn't designed to run Mac
OS's libc and userspace in a bug-for-bug compatible fashion though and thus
wouldn't provide any more info about unique porting issues on Mac OS on top of
what's already revealed by cross-compiling.

~~~
saagarjha
I am unsure if the XNU you can build from public sources can support the
userspace the extent necessary to run all those tools. Honestly, I would
probably suggest using a Hackintosh as it'd be significantly less work for a
higher-fidelity result…

~~~
tannhaeuser
Yeah, thanks, we do have Apple hardware. It's about CI and build automation
(or the lack thereof on Mac OS). For example, we can't re-image /reset a Mac
into a pristine state easily after manually switching of SIP for CI, but must
still end-user test the final product, can't justify the effort to adapt to
yearly updates for relatively niche target, can't reasonably save working
XCode setups, must test things on current Safari (so have a clean/up-to-date
Apple machine around), etc.

------
vngzs
The Apple product security team just submitted this to the Full Disclosure
mailing list[0]. There's a Python arbitrary remote code execution flaw
addressed in this update (CVE-2020-9793). The same flaw is present in iOS as
well[1][2].

[0]:
[http://seclists.org/fulldisclosure/2020/May/53](http://seclists.org/fulldisclosure/2020/May/53)

[1]:
[http://seclists.org/fulldisclosure/2020/May/49](http://seclists.org/fulldisclosure/2020/May/49)

[2]: [https://support.apple.com/en-us/HT211168](https://support.apple.com/en-
us/HT211168)

~~~
JonathonW
The Python vulnerability has been removed from the iOS vulnerability list on
Apple Support... iOS does not ship Python, so it was likely included by
mistake.

~~~
snazz
Yes. There was also a Zsh vulnerability mistakenly included in the iOS list.

------
vinay_ys
This seems like a very large release with lots of security fixes. Wonder if
Apple is releasing the security fixes quickly enough after it is found and
reported or are they batching these fixes into a larger and fewer release and
in doing so are they putting users at risk unnecessarily for longer duration.

~~~
saagarjha
Here's the list for 10.15.4: [https://support.apple.com/en-
us/HT211100](https://support.apple.com/en-us/HT211100). This one does not seem
unusually large.

------
jwiley
I wonder why patches for individual security updates are pushed out
individually instead of following the hard release process? We moved away from
that in the web / app space decades ago, it's hard to imagine saying "guys, we
need to wait 3 months to fix an SQL injection vulnerability to avoid churn."

Also...Mac updates are theoretically 'automatically installed', but somehow I
have to notice and update, enter my password, and agree to restart and
occasionally terms of service for every update which feels clunky.

------
bgorman
Is this a normal disclosure? I just purchased a Mac but the list of potential
kernel exploits seems much higher than I would expect in a point release.

~~~
barkingcat
Apple has as many kernel exploits as any other, software is not perfect. macOS
has a long history of many many security patches in point releases, sometimes
the release notes run into the tens of pages.

The point of view you should take is that the company that doesn't issue
security fixes (or issues very few comparatively) is the one you should be
worried about: They are not better, they just don't fix anything and leave you
vulnerable instead.

~~~
skrtskrt
I haven't used Windows since I needed it for obscure engineering software in
college, but I did find that the frequency of security updates combined with
Windows reputation made me feel more uneasy rather than positive.

I felt less like "Oh good they're being proactive" and more like "Do they
introduce 3 vulnerabilities for every one they fix?"

~~~
tpetry
Bit the bonus is microsoft is patching these vulnerabilites at best every two
weeks. For macos you have to wait for the next minor release which may take a
lot longer.

~~~
acdha
Apple has shipped out-of-band security updates quickly — they must have an
internal process for weighing severity versus the user fatigue from shipping
frequent updates.

------
cglong
Heads-up that this update, along with recent security updates for High Sierra
and Mojave, disable the ability to hide major macOS updates:
[https://www.macrumors.com/2020/05/28/macos-ignore-
software-u...](https://www.macrumors.com/2020/05/28/macos-ignore-software-
updates/)

------
rcarmo
Still no news about the mail data losses since 10.15.0... Ah well.

~~~
yborg
What is this bug? I've been using Mail on Catalina for the last 6 months and
haven't noticed any problems.

~~~
rcarmo
I assume I was downvoted out of spite or by someone who's not aware of this:

[https://mjtsai.com/blog/2019/10/11/mail-data-loss-in-
macos-1...](https://mjtsai.com/blog/2019/10/11/mail-data-loss-in-macos-10-15/)

Michael Tsai has been keeping track of this since October, and regularly
comments on this with every Catalina update, like the last one:

[https://mjtsai.com/blog/2020/05/27/macos-10-15-5/](https://mjtsai.com/blog/2020/05/27/macos-10-15-5/)

------
LordFast
Does Catalina have more security issues? Or are we just talking about them
more than before?

~~~
quantummkv
Just more talking. The kind of bugs and their number are not that far off from
windows or linux systems.

