About Apple security updates
Catalina's top-rated Zip Line Eco Tour takes you 600 feet above Descanso Beach Club, where you’ll enjoy sweeping ocean views as you zip across the canyon and through the trees on five separate lines at speeds approaching 35 mph. During this 2-hour adventure, trained guides will share interesting facts about the unique flora and fauna found. This document describes the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Catalina is an early launch partner of Switchboard, a module within The Tapad Graph that will connect emerging cookieless identifiers to traditional IDs, creating a more holistic view of the consumer and driving value exchange within the advertising ecosystem.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave
Released February 1, 2021
Analytics
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2021-1761: Cees Elzinga
APFS
Available for: macOS Big Sur 11.0.1
Impact: A local user may be able to read arbitrary files
Description: The issue was addressed with improved permissions logic.
CVE-2021-1797: Thomas Tempelmann
CFNetwork Cache
Available for: macOS Catalina 10.15.7 and macOS Mojave 10.14.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: An integer overflow was addressed with improved input validation.
CVE-2020-27945: Zhuo Liang of Qihoo 360 Vulcan Team
CoreAnimation
Available for: macOS Big Sur 11.0.1
Impact: A malicious application could execute arbitrary code leading to compromise of user information
Description: A memory corruption issue was addressed with improved state management.
CVE-2021-1760: @S0rryMybad of 360 Vulcan Team
CoreAudio
Available for: macOS Big Sur 11.0.1
Impact: Processing maliciously crafted web content may lead to code execution
Description: An out-of-bounds write was addressed with improved input validation.
CVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab
CoreGraphics
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2021-1776: Ivan Fratric of Google Project Zero
Entry updated March 16, 2021
CoreMedia
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT
CoreText
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
Description: A stack overflow was addressed with improved input validation.
CVE-2021-1772: Mickey Jin (@patch1t) of Trend Micro working with Trend Micro’s Zero Day Initiative
Entry updated March 16, 2021
CoreText
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: A remote attacker may be able to cause arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro’s Zero Day Initiative
Entry updated March 16, 2021
Crash Reporter
Available for: macOS Catalina 10.15.7
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2021-1761: Cees Elzinga
Crash Reporter
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: A local attacker may be able to elevate their privileges
Description: Multiple issues were addressed with improved logic.
CVE-2021-1787: James Hutchins
Crash Reporter
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: A local user may be able to create or modify system files
Description: A logic issue was addressed with improved state management.
CVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security
Directory Utility
Available for: macOS Catalina 10.15.7
Impact: A malicious application may be able to access private information
Description: A logic issue was addressed with improved state management.
CVE-2020-27937: Wojciech Reguła (@_r3ggi) of SecuRing
Endpoint Security
Available for: macOS Catalina 10.15.7
Impact: A local attacker may be able to elevate their privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-1802: Zhongcheng Li (@CK01) of WPS Security Response Center
FairPlay
Available for: macOS Big Sur 11.0.1
Impact: A malicious application may be able to disclose kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.
CVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend Micro working with Trend Micro’s Zero Day Initiative
FontParser
Available for: macOS Catalina 10.15.7
Impact: Processing a maliciously crafted font may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1790: Peter Nguyen Vu Hoang of STAR Labs
FontParser
Available for: macOS Mojave 10.14.6
Impact: Processing a maliciously crafted font may lead to arbitrary code execution
Description: This issue was addressed by removing the vulnerable code.
CVE-2021-1775: Mickey Jin and Qi Sun of Trend Micro working with Trend Micro’s Zero Day Initiative
Entry updated March 16, 2021
FontParser
Available for: macOS Mojave 10.14.6
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2020-29608: Xingwei Lin of Ant Security Light-Year Lab
FontParser
Available for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7
Impact: A remote attacker may be able to cause arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1758: Peter Nguyen of STAR Labs
ImageIO
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An access issue was addressed with improved memory management.
CVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1743: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro’s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A logic issue was addressed with improved state management.
CVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.
CVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1736: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab
Entry updated March 16, 2021
ImageIO
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: This issue was addressed with improved checks.
CVE-2021-1766: Danny Rosseau of Carve Systems
Entry updated March 16, 2021
ImageIO
Available for: macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A logic issue was addressed with improved state management.
CVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab
Entry updated March 16, 2021
ImageIO
Available for: macOS Catalina 10.15.7, macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-1742: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1746: Jeonghoon Shin(@singi21a) of THEORI, Mickey Jin & Qi Sun of Trend Micro working with Trend Micro’s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1754: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1774: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1777: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab
Entry updated March 16, 2021
ImageIO
Available for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write was addressed with improved input validation.
CVE-2021-1737: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1738: Lei Sun
CVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab
IOKit
Available for: macOS Big Sur 11.0.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: A logic error in kext loading was addressed with improved state handling.
CVE-2021-1779: Csaba Fitzl (@theevilbit) of Offensive Security
IOSkywalkFamily
Available for: macOS Big Sur 11.0.1
Impact: A local attacker may be able to elevate their privileges
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1757: Pan ZhenPeng (@Peterpan0927) of Alibaba Security, Proteas
Kernel
Available for: macOS Catalina 10.15.7 and macOS Mojave 10.14.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.
CVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
Kernel
Available for: macOS Big Sur 11.0.1
Impact: A remote attacker may be able to cause a denial of service
Description: A use after free issue was addressed with improved memory management.
CVE-2021-1764: @m00nbsd
Kernel
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A race condition was addressed with improved locking.
CVE-2021-1782: an anonymous researcher
Kernel
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple issues were addressed with improved logic.
CVE-2021-1750: @0xalsr
Login Window
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: An attacker in a privileged network position may be able to bypass authentication policy
Description: An authentication issue was addressed with improved state management.
CVE-2020-29633: Jewel Lambert of Original Spin, LLC.
Messages
Available for: macOS Big Sur 11.0.1
Impact: A malicious application may be able to leak sensitive user information
Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.
CVE-2021-1781: Csaba Fitzl (@theevilbit) of Offensive Security
Entry added March 16, 2021
Messages
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: A user that is removed from an iMessage group could rejoin the group
Description: This issue was addressed with improved checks.
CVE-2021-1771: Shreyas Ranganatha (@strawsnoceans)
Model I/O
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution
Description: An out-of-bounds write was addressed with improved input validation.
CVE-2021-1762: Mickey Jin of Trend Micro working with Trend Micro’s Zero Day Initiative
Entry updated March 16, 2021
Model I/O
Available for: macOS Catalina 10.15.7
Impact: Processing a maliciously crafted file may lead to heap corruption
Description: This issue was addressed with improved checks.
CVE-2020-29614: ZhiWei Sun (@5n1p3r0010) of Topsec Alpha Lab
Model I/O
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2021-1763: Mickey Jin of Trend Micro working with Trend Micro’s Zero Day Initiative
Model I/O
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: Processing a maliciously crafted image may lead to heap corruption
Description: This issue was addressed with improved checks.
CVE-2021-1767: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro’s Zero Day Initiative
Model I/O
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1745: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro’s Zero Day Initiative
Model I/O
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1753: Mickey Jin of Trend Micro working with Trend Micro’s Zero Day Initiative
Model I/O
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1768: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro’s Zero Day Initiative
NetFSFramework
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
Description: A logic issue was addressed with improved state management.
CVE-2021-1751: Mikko Kenttälä (@Turmio_) of SensorFu
OpenLDAP
Available for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2020-25709
Power Management
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state management.
CVE-2020-27938: Tim Michaud (@TimGMichaud) of Leviathan
Screen Sharing
Available for: macOS Big Sur 11.0.1
Impact: Multiple issues in pcre
Description: Multiple issues were addressed by updating to version 8.44.
CVE-2019-20838
CVE-2020-14155
SQLite
Available for: macOS Catalina 10.15.7
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed with improved checks.
CVE-2020-15358
Swift
Available for: macOS Big Sur 11.0.1
Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
Description: A logic issue was addressed with improved validation.
CVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs
WebKit
Available for: macOS Big Sur 11.0.1
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2021-1788: Francisco Alonso (@revskills)
WebKit
Available for: macOS Big Sur 11.0.1
Impact: Maliciously crafted web content may violate iframe sandboxing policy
Description: This issue was addressed with improved iframe sandbox enforcement.
CVE-2021-1765: Eliya Stein of Confiant
CVE-2021-1801: Eliya Stein of Confiant
WebKit
Available for: macOS Big Sur 11.0.1
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved state handling.
CVE-2021-1789: @S0rryMybad of 360 Vulcan Team
WebKit
Available for: macOS Big Sur 11.0.1
Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1871: an anonymous researcher
CVE-2021-1870: an anonymous researcher
WebRTC
Available for: macOS Big Sur 11.0.1
Impact: A malicious website may be able to access restricted ports on arbitrary servers
Description: A port redirection issue was addressed with additional port validation.
CVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar
Additional recognition
Kernel
We would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.
libpthread
We would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.
Login Window
We would like to acknowledge Jose Moises Romero-Villanueva of CrySolve for their assistance.
Mail Drafts
We would like to acknowledge Jon Bottarini of HackerOne for their assistance.
What Is The Latest Catalina Update
Screen Sharing Server
We would like to acknowledge @gorelics for their assistance.
WebRTC
We would like to acknowledge Philipp Hancke for their assistance.
macOS Catalina 10.15 is the latest operating system that runs on Apple Mac laptops and desktops. However, it is still in beta test and only available for part of Mac computers with high profile or enrolled in Apple Beta Program. Is there any way to upgrade the macOS to Catalina manually or install Catalina on Mac from scratch? The answer is Yes. But you have to download macOS Cataina DMG or the installer app.
If you are looking for the easiest way to download macOS Catalina DMG on a Macand but don't know how? Well, there are three ways by which you can instantly get the latest macOS installer without a hassle.
Part 1. Get MacOS Catalina DMG Via Direct Download Link
Many people prefer the direct download link of macOS Catalina as it is more flexible. You can unpack the DMG file and make a bootable Catalina installer USB, which can be used to install macOS on other computers. However, it is not easy to find the direct download link because Apple wants you to upgrade from Mac App Store. Fortunately, there are a few good websites that host the direct download link of macOS Catalina DMG. After that, you can burn the macOS dmg to USB to make it bootable for installation.
macOS Catalina 10.15 DMG Download Link 1: https://themacgo.com/macdownload/ (Wait a few seconds and the download starts automatically.)
macOS Catalina 10.15 DMG Download Link 2: https://drive.google.com/drive/folders/1ELQXMuuVWddamLPG0RHjyvaNW4r628CM (Password: Geekrar.com)
macOS Catalina 10.15 DMG Download Link 3: http://www.mediafire.com/file/wazr84baudhi27h/macOS_Catalina_DMG_by_Geekrar.rar/file
macOS Catalina 10.15 DMG Download Link 4: https://sundryfiles.com/G54 (Premium account required for download!)
macOS Catalina 10.15 InstallESDDmg PKG Download Link : http://swcdn.apple.com/content/downloads/61/56/041-83630-A_8RCIBB415Y/7jqh3nh97ood2mjej7hdgpx7fgh5c3fi9g/InstallESDDmg.pkg
macOS Catalina 10.15 VMware Image Download Link: https://www.mediafire.com/file/yrd1py7od5911zt/Catalina_Virtual_Disk_Image_by_Techsviewer.rar/file
macOS Catalina 10.15 VirtualBox Image Download Link: https://www.mediafire.com/file/yrd1py7od5911zt/Catalina_Virtual_Disk_Image_by_Techsviewer.rar/file
Tips: After downloading macOS Catalina .dmg file, it is time to make a macOS bootable USB from it. For this purpose, you can give a try on UUByte DMG Editor, one of the most popular software to create a Catalina USB installer on both Windows PC and Mac.
What Is The Most Recent Version Of Catalina
Part 2. Download macOS Catalina From Mac App Store
Apple always recommends its users downloading macOS install file from Mac App Store for security reasons. It is safe and easy. But the actual downloaded file is not an dmg file. Instead, it is an app called Install macOS Catalina, which is used to make the upgrade from current macOS to Catalina. For a clean install, it is better to download the dmg file and make an installer USB.
Note: Make sure to back up your Mac prior to installing macOS Catalina.
Step 1: Go to Mac App Store and search macOS Catalina. Then hit on 'Get' to download page.
Step 2: Doing this will open System Preferences followed by the section of Software Update, where you will find MacOS Catalina ready to download. Hit the option saying 'Upgrade Now' and download MacOS Catalina on your Mac.
Step 3: Next, macOS Catalina upgrade will ask for system reboot. Complete the process and install macOS Catalina on that computer.
Downloading macOS Catalina Install app works fine on my of newly devices but it could be problems for old Macs even it is officially supported by Catalina. If this is the case, then you have to patch the OS and install Catalina again. However, you need find a third-party app to do the dirty work. We will talk about this in Part 3.
Part 3. Download macOS Catalina 10.15 Installer with macOS Catalina Patcher
Although it may appear easy to try out the conventional approach of downloading macOS update in Software Update, there are a few known issues on old Macs shipped in 2013 or earlier, meaning the download progress can not be completed successfully. That's why macOS Catalina Patcher tool comes into help. This patching tool makes the job even simpler for installing macOS Catalina on unsupported Mac models.
However, the file size of these updates differs depending on the Mac device you are using. That means the downloaded update might not necessarily be the full installer version. For instance, if you wish to keep the installer file as archive for further application, or use it to generate bootable flash drive, this file size won't be sufficient.
Fortunately, with macOS Catalina Patcher tool, you can simply download the entire update of macOS setup from Apple's servers. Let's check out the stepwise instructions of how to use this software tool to download the macOS Catalina DMG.
Step 1: Download a copy of macOS Catalina Patcher from this link.
Step 2: After downloading and attempting to install, an error notification will be prompted. It is due to the unavailability of developer verification credential for macOS. Now, go to System Preferences -> Security & Privacy. Then find the button saying 'Open Anyway' to let the app run.
Step 3: Open macOS Catalina Patcher app and from the main menu, navigate to Options to uncheck the box saying 'Auto-apply Post Install Patches'. As you are done with the previous step and move to the screen as in the link below, hit Download a Copy.
Step 4: The following screen will notify the file size of macOS Catalina you are to download. The resolution is around 7GB and after the download, it will automatically get stored in the Downloads folder. Then hit Continue to initiate the process of download.
Step 5: The download time of the file will depend upon the internet connection and its speed. So, you might have to wait for some while for the process to complete. Eventually, the entire macOS Catalina setup file will be available on your device.
Closing Words
Well, that is all for the day. Hopefully, the above methods were helpful in guiding you on how to download macOS Catalina for both supported and unsupported Macs. When the download is finished, the next step is to burn the DMG file to USB. Then boot macOS from USB and starts the installation wizard.