Apple has released new versions of iOS, watchOS, tvOS and Safari and has plugged a number of security holes in each.
iOS 12 comes with improved usability, stability, reliability, speed, but also with some interesting new and improved features that should help users choose and manage passwords and use two-factor authentication.
Apple software engineer Ricky Mondello has highlighted a number of them, including:
- A revamped iCloud Keychain password manager that generates passwords when creating accounts within apps (this should help minimize weak passwords and password reuse),
- iOS’ Password AutoFill helps enter passwords on Apple TV, and works with third-party password manager apps like 1Password or LastPass,
- Siri is now able to look up a saved password for the user (but will not read them out loud),
- Security codes delivered via text messages will automatically appear on the QuickType bar, allowing users to fill it in where required with one tap.
(Apple has also updated the iOS Security Guide with a new section on user password management).
The company has patched a number of security holes with this update, including a code execution flaw in Bluetooth, a vulnerability that may allow an attacker in a privileged network position to spoof password prompts in the iTunes Store, a weakness in the RC4 cryptographic algorithm, and a logic issue that could allow a malicious website to exfiltrate autofilled data in Safari.
A vulnerability in iOS11 and later has also been addressed with a patch, as it allows an attacker in a privileged network position to intercept analytics data sent to Apple.
The other updates
Many of the aforementioned vulnerabilities have also been fixed in tvOS 12 and watchOS 5.
The Safari 12 update includes fixes for three flaws: the autofilled data exfiltration issue mentioned above, a vulnerability that made it difficult for users to delete browsing history items, and a flaw that would allow a malicious website to spoof the user interface.
Mondello also pointed out that Safari 12 on macOS comes with improved Intelligent Tracking Prevention and a new Passwords pane in the browser’s Preferences, which shows users where they are reusing passwords.