The security updates
The update for Xcode – Apple’s integrated environment for developing software for macOS, iOS, watchOS, and tvOS – carries a fix for a single flaw: CVE-2018-4461, a kernel memory corruption issue that has been patched last December in iOS, tvOS, watchOS and macOS Mojave. This fix is for macOS High Sierra 10.13.6 or later.
Apple has plugged a bucketload of WebKit holes in all the security updates except that for macOS. Most of those fixed solve issues that could allow attackers to achieve arbitrary code execution by serving maliciously crafted web content.
iOS 12.2 also splats:
- Two bugs that could allow a malicious application (CVE-2019-8566) or a website (CVE-2019-6222) to access the device’s microphone without the microphone use indicator being shown
- Two bugs in the Feedback Assistant component that could allow a malicious application to gain root privileges (CVE-2019-8565) or to overwrite arbitrary files (CVE-2019-8521)
- A bug in the GeoServices component (CVE-2019-8553) that could be triggered by clicking a malicious SMS link and lead to arbitrary code execution
- A bug in Mail (CVE-2019-7284) that could lead to S/MIME signature spoofing
- A bug in Safari (CVE-2019-8554) that would allow a website to access sensor information without user consent.
The tvOS update also carries much of the fixes covered in the iOS update, including those for the GeoServices flaw and one affecting Siri (CVE-2019-8502), which would allow a malicious application to initiate a dictation request without user authorization.
The Safari update fixes the aforementioned WebKit flaw and plugs two security holes in the Safari Reader feature that could be exploited for cross site scripting by a maliciously crafted webpage.
The macOS update plugs the WebKit holes, various kernel flaws, the aforementioned Feedback Assistant and Siri bugs, and a host of others. Among those of note are:
- CVE-2019-6239, a bug affecting the BOM (Bill of Materials) files, which are used by macOS installers. The bug could allow a malicious application to bypass Gatekeeper (security) checks
- CVE-2019-8522, a flaw affecting the DiskArbitration component. This logic issue could allow an encrypted volume to be unmounted and remounted by a different user without prompting for the password
- CVE-2019-8537, a flaw that could allow allow a local attacker to view a user’s locked notes.