Another month, another batch of Apple security updates that users of the firm’s computers, phones, tablets, streaming devices and smart watches will be prompted to implement.
Flaws fixed in most of the updates
As per usual, WebKit – the browser engine used in Apple’s Safari browser and other products – has the most number of flaws fixed.
Most of the WebKit flaws are memory corruption issues that can be triggered by processing maliciously crafted web content and could lead to arbitrary code execution. Those are fixed in macOS, iOS, tvOS, Safari and (in a more limited number) in the watchOS update.
When updated, all of those Apple devices will also receive fixes for three flaws in XNU, the OS kernel they have in common. One of these, CVE-2019-8605, could be exploited by a malicious application to execute arbitrary code with system privileges.
They also have in common fixes for four vulnerabilities affecting the SQLite component. All of them were flagged by Omer Gull of Checkpoint Research and one of them can be triggered by sending a maliciously crafted SQL query and could lead to arbitrary code execution.
Among the vulnerabilities fixed in macOS, there are some more unusual than others:
- A flaw in DesktopSevices that could allow a malicious application to bypass Gatekeeper checks (CVE-2019-8589)
- An EFI authentication issue that may result in users unexpectedly getting logged in to another user’s account (CVE-2019-8634).
Also of note are two flaws in the CoreAudio component that can be triggered by the OS processing a maliciously crafted audio or movie file (CVE-2019-8592, CVE-2019-8585).
One of these has also been fixed in the iOS update, along with:
- CVE-2019-8626, a Mail flaw that could be triggered via a maliciously crafted message to lead to a DoS condition
- CVE-2019-8617, a flaw in the Photo Storage component that could allow a sandboxed to circumvent sandbox restrictions
- CVE-2019-8620, a Wi-Fi vulnerability that could be exploited by attackers to track devices by their WiFi MAC address.
The tvOS and watchOS updates have patches for, more or less, the same vulnerabilities.
Security update for Apple TV software
Finally, it’s interesting to note that for the first time in over three years Apple has delivered a security update for Apple TV Software, the tvOS precursor that powers third-generation Apple TVs.
The software is based on iOS and the fixes it received are for:
- A Bluetooth input validation issue (CVE-2017-14315) that could be exploited remotely to cause an unexpected application termination or arbitrary code execution
- Two flaws in the Wi-Fi component (CVE-2017-9417, CVE-2017-6975) that could only be exploited by attackers in range, but could result in arbitrary code execution on the Wi-Fi chip.
All the flaws date back to 2017. The Bluetooth one can be exploited in so-called BlueBorne attacks.