Apple delivers March 2020 security updates for iDevices and software

If you haven’t yet opted for automatic Apple security updates, it’s time to update your iDevices and software again.

The lightweight Apple security updates

The security update for Xcode – an integrated development environment for macOS containing a suite of software development tools developed by Apple for developing software for macOS, iOS, iPadOS, watchOS, and tvOS – offers no details about fixed security issues.

The iCloud (1, 2) and iTunes for Windows updates contain the same fixes:

• Three buffer overflow flaws in libxml2, a software library for parsing XML documents
• Ten security vulnerabilities in the WebKit browser engine, six of which could lead to arbitrary code execution if maliciously crafted web content is processed.

The tvOS update contains all those fixes, plus patches for a few kernel flaws, several vulnerabilities that could allow a malicious application to execute arbitrary code with system privileges, and one vulnerability stemming from poor handling of icon< caches that could be exploited by a malicious application to identify what other applications a user has installed.

The watchOS update also fixes that last flaw, as well as some of the three libxml2 vulnerabilities, several of the code execution flaws affecting WebKit, the kernel security holes, and a logic issue affecting Messages, which could allow a person with physical access to a locked device to respond to messages even when replies are disabled.

The heftier updates

iOS 13.4 and iPadOS 13.4 bring, among other things, fixes for:

• The aforementioned WebKit, libxml2, kernel and Icon flaws
• CVE-2020-9770, a logic issue that could allow an attacker in a privileged network position to intercept Bluetooth traffic
• The aforementioned flaw affecting the privacy of Messages on a locked device
• A flaw in Mail that could allow a local user to view deleted content in the app switcher
• Two Safari flaws, one of which could make users grant website permissions to a site they didn’t intend to
• A WebApp flaw that could allow a maliciously crafted page to interfere with other web contexts

Safari 13.1 delivers all the WebKit fixes and plugs a hole that could allow a malicious iframe to use another website’s download settings. (With Safari 13.1, Apple also started blocking third-party cookies.)

The macOS security updates (macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra) fix a wider variety of flaws, including:

• Those already mentioned in libxml2, kernel, icons
• Bluetooth vulnerabilities that could allow a malicious application to read restricted memory or execute arbitrary code with kernel privileges
• CVE-2020-9776, a flaw that could allow a malicious application to access a user’s call history
• Several flaws that could allow an application to gain elevated privileges
• An injection issue affecting Mail that could allow a remote attacker to cause arbitrary javascript code execution
• A sudo issue that could allow an attacker to run commands as a non-existent user
• CVE-2020-3906, a vulnerability that could allow a maliciously crafted application to bypass code signing enforcement.