Apple released security updates for iOS today, which fixes 51 operating system vulnerabilities in version 12.2. The products affected include iPhone 5s and later, iPad Air and newer iPods of 6th generation.
Products running tvOS–the iOS based Apple TV 4 K and Apple TV HD should be updated to 12.2, since 36 vulnerabilities are also affected.
The patch list includes a wide range of bugs an opponent could potentially manipulate in order to obtain effects such as Denial-of-Service, escalating privilege and information disclosure to obtain root privileges, override arbitrary files or to execute code of choice for an attacker.
19 Web – based issues
Alex Stamos, a reputed security practitioner, and former Chief Security Officer at Facebook, mentioned a batch of severe memory corruption vulnerabilities in iOS 12.2, noting that the Apple big media events may not coincide with their round of bug fixes
Apple fixed some really serious bugs in iOS 12.2. Update now!
Once again, this raises the question of whether Apple should tie their security patch schedule to major media events. This isn’t “Patch Tuesday”, it’s “Patch Keynote”. pic.twitter.com/F8fCoJmh2v
— Alex Stamos (@alexstamos) 25 March 2019
By far, the web browser Apple uses most vulnerabilities in Webkit in many products, such as Safari, Mail, and the App Store. Most common of these were memory corruption bugs, which could be used to execute arbitrary code via the maliciously crafted processing of web content. Apple addressed these mistakes by improving memory, state and management. Another memory-related problem, tracked as CVE-2019-8562, could be used to prevent the sandbox restrictions from being bypassed.
The solution in this case was to improve validation inspections. In previous iOS versions, Webkit is also affected by a fault (CVE-2019-6222) that allows websites to enter a microphone without indicating the active state. The same effect would be achieved by using a bug separate from the ReplayKit component (CVE-2019-8566) to record or stream video from the screen and audio from an app or directly from the microphon.
Apple’s security updates listing the current iOS release tells us that an attacker could use two universal cross-site script (XSS) vulnerabilities-CVE-2019-8551 and read sensitive user data (CVE-2019-8515). An opponent could also take advantage of another webkit bug (CVE-2019-8503), which allows a website to run scripts in another website.
Kernel problems and malicious SMS
In previous iOS versions, six issues may affect the kernel that may lead to system crash or corruption (CVE-2019-8527), may lead to malicious apps reading memory layout (CVE-2019-8540, CVE-2019-6207, CVE-2019-8510), or may result in higher privileges (CVE-2019-8514).
Using CVE-2019-7293 allows local users to read the kernel memory and to extract sensitive information. An anonymous researcher has reported an interesting vulnerability to CVE-2019-8553 affecting the GeoServices component.
Apple’s brief explanation notes that a victim could send an arbitrary code execution “malicious SMS link.” Apple’s security patch inventory is impressive not only because of the large number of problems addressed, but also because of the severity of some of the vulnerabilities. These updates should be implemented at the earliest opportunity as they pose significant security risks to the products they affect.