UPDATE
Apple tackled a bevy of vulnerabilities across all its platforms Tuesday, including one that allowed a remote attacker to initiate a FaceTime call by exploiting a bug in some model iPhones, iPads, and iPad Air devices. The wide-ranging security fixes came on the same day Apple announced a new laptop and Mac Mini, and a new iPad Pro.
Most notable of the vulnerabilities fixed by Apple was the FaceTime vulnerability, CVE-2018-4367, found by Google Project Zero researcher Natalie Silvanovich. According to Apple, a memory corruption bug in affected devices allows a “remote attacker may be able to initiate a FaceTime call causing arbitrary code execution.”
According to Apple’s security notes, Tuesday’s patch address the FaceTime bug in iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
A second FaceTime bug (CVE-2018-4366) was also discovered by Silvanovich and patched by Apple. The security bulletin description of the bug is scant and only states “a remote attacker may be able to leak memory” because of a memory corruption issue impacting input validation.
The FaceTime flaw, CVE-2018-4366, could allow an attacker to use FaceTime to leak memory. The CVE affect all iPhones from the 5s on, iPads from the iPad Air, and the sixth generation iPod Touch.
Apple has also shut down two vulnerabilities that could allow a hacker to bypass an iPhone’s lock screen, and access a user’s Photos or Notes. The exploits were first revealed by researcher Jose Rodriguez on YouTube.
Flaws in iOS’ IPSEC, kernel, and graphics drivers are among other CVEs addressed in the update. Apple has also shut down vulnerabilities in WebKit – which drives the Safari browser on iOS and MacOS. These included address bar spoofing, and a flaw, CVE-2018-4409 found by Sabri Haddouche of Wire Swiss, which could lead a malicious website to carry out a denial of service attack.
The iOS 12.1 update also shuts down CVEs in Messages, Notes, and Wi-Fi. Apple also addressed an issue in iOS’ core crypto, where an attacker could have used a weakness in the Miller-Rabin prime number test to compromise encryption.
Mac computer users also received security updates, with a new version of Mac OSX Mojave – 10.14.1 – and security releases for Sierra and High Sierra. The Mac updates include a fix for the Miller-Rabin prime number flaw, as well as CVEs that affect the hypervisor, Intel graphics drivers, the printing system CUPS, IO and the Mac’s EFI. There are seven sets of patches for the Mac OS kernel.
One of the October macOS patches included a kernal fix (CVE-2018-4407) for Sierra 10.12.6, macOS High Sierra 10.13.6. Apple said the patch corrected a memory corruption issue that could allow an attacker – in a privileged network position – to be able to execute arbitrary code.
Researcher Kevin Backhouse is credited for finding the kernel RCE buffer overflow, CVE-2018-4407, back in September.
“The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel,” wrote Backhouse in his blog.
“To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device. No user interaction is required… Since an attacker can control the size and content of the heap buffer overflow, it may be possible for them to exploit this vulnerability to gain remote code execution on your device.”
He advises owners of unmatched iOS and macOS devices to avoid public Wi-Fi networks.
Apple has also released updates for WatchOS and for the tvOS, as well as updated versions of iTunes and iCloud for Windows. However, the Watch update – WatchOS5.1 – has been withdrawn.
Some users of fourth-generation Apple Watches reported that the update caused their devices to enter a boot-up loop. Affected users can contact Apple Care, and the company said it will release a patched version of WatchOS5.1 shortly.
(This article was updated with researcher commentary on 10/31/18 at 1:48 pm ET.)