Another month, another set of Apple security updates: if you’re using macOS, iOS, Shortcuts for iOS, tvOS, Safari, and iCloud and iTunes for Windows, it’s time to get patching.
The Safari, iCloud and iTunes updates have a lot of overlap – two Safari bugs that can lead to address bar or user interface spoofing, six WebKit issues that can be triggered by the processing of maliciously crafted web content to achieve remote code execution.
The Safari update fixes one additional flaw: an issue that made it impossible for users to fully delete their browsing history.
The tvOS update closes those same WebKit flaws, five kernel issues that could lead to DoS, privilege elevation (through a malicious app), and code execution with kernel privileges (also via a malicious app), a certificate validation issue.
The former includes patches for the kernel and various components (AMD, Carbon Core, Intel Graphics Driver, etc.) who mostly sport bugs exploitable by malicious apps to achieve code execution or to read memory.
The latter carries fixes for the Safari, WebKit, and kernel flaws mentioned above, plus a handful of other bugs. Among these the most interesting are:
- A lock screen issue that can allowed access to contacts on a locked device (similar to the passcode bypass vulnerabilities fixed in October and flagged by the same researcher)
- An issue in the LinkPresentation component that could lead to user interface spoofing once a maliciously crafted email has been processed, and
- A bug in the FileProvider component that could allow a malicious application to learn information about the presence of other applications on the device.
Finally: the Shortcuts app update for iOS does not have published CVE entries, but you know there must be something in there, so you might as well update it. (Apple often refrains from revealing the existence of some bugs or fixes for them until the majority of users has had the chance to implement the updates.)