In the last few days, Apple has staggered security updates for many of its products, including the recently unveiled macOS Catalina.
Safari, tvOS, iPadOS, iOS, iCloud, iTunes updates
The Safari update delivered fixes for 14 CVE-numbered Webkit and WebKit Process Model vulnerabilities, most of which are memory corruption issues that may lead to arbitrary code execution if maliciously crafted web content is processed (i.e., users visit malicious web pages).
The same flaws were also fixed in the tvOS, iPadOS and iOS update (for iOS 13).
In addition to those, tvOS 13.2 fixes memory corruption issues in several other components, two kernel flaws, and an authentication issue (CVE-2019-8803) that may allow a local attacker to login to the App Store account of a previously logged in user without valid credentials.
Many of these have also been fixed in iOS 13.2 and iPadOS 13.2, including CVE-2019-8803. Other patched issues of note are those for:
- CVE-2019-8793, discovered by a Florida 6th grader, which may allow a local user to record the screen without a visible screen recording indicator, and
- CVE-2019-8789, a validation issue that may allow attackers to leverage a maliciously crafted iBooks file to get at user information.
The contents of the iOS 12.4.3 security update are currently unavailable, and so are those for watchOS 5.3.3, but the watchOS 6.1 update brings (among other things) the WebKit and kernel fixes, and fixes for CVE-2019-8803 (the App Store account issue) and CVE-2019-8747, a memory corruption flaw in the AppleFirmwareUpdate kernel extension, which could allow a malicious application to execute arbitrary code with kernel privileges.
The and iCloud updates (for Windows 7 through 10) are pretty lightweight: the Webkit fixes take most of the space.
macOS Catalina update
The macOS Catalina update (10.15.1) and the two security updates for macOS High Sierra and Mojave are, expectedly, more hefty. They contain (among other things):
- Several kernel fixes
- Updated third-party libraries (e.g., libxslt, libxml2)
- Fixes for three flaws affecting CUPS, the maOS printing system
- Fixes for the App Store account auth issue (CVE-2019-8803), a privilege escalation flaw in File Quarantine (CVE-2019-8509), a variety of memory corruption issues in the various drivers, two flaws in AppleGraphicsControl, one of which could allow an application to execute arbitrary code with system privileges (CVE-2019-8716).