Apple fixes iOS 12 passcode bypass vulnerabilities

Apple has released security updates to address a number of vulnerabilities in iCloud for Windows and iOS, some of which can be exploited by attackers to take control of an affected system.

The iCloud for Windows update carries fixes for nearly twenty WebKit vulnerabilities, all of which were patched last month in other Apple offerings. Most of them can lead to arbitrary code execution if maliciously crafted web content is processed.

The iOS update (12.0.1)

iOS 12.0.1 includes fixes for several bugs that interfered with normal device charging, joining a Wi-Fi network and seeing subtitles in video apps, as well as a Bluetooth issue.

It also closes two security bugs discovered and reported by researcher Jose Rodriguez. Both of them allow a physically present attacker to bypass the device’s lock screen.

CVE-2018-4380 affects the VoiceOver accessibility feature that allows blind people to use iOS devices, and may allow the attacker to view photos and contacts. Rodriguez provided a demo of this bypass:

CVE-2018-4379 affects the Quick Look capability, which lets people preview a variety of documents, images and other types of files even if their mail app doesn’t support those file formats, and may allow the attacker to share items.

Both bugs have been fixed by restricting options offered on a locked device running iOS.

Those who haven’t enabled the new Automatic Updates option that was incorporated in iOS 12 (but is turned off by default) are advised to implement the update manually.