Apple patched 51 vulnerabilities rated serious with its iOS (12.2) update. One of the most serious bugs could allow apps to secretly listen to end users.
Apple’s iOS security updates, announced Monday during its March product announcement event, are for the iPhone 5s and later, iPad Air and later and iPod touch 6th generation. The phone maker also disclosed security updates across other products including iTunes, Safari, macOS, and iCloud.
The eavesdropping iOS vulnerability existed in ReplayKit, which allows game developers to give players the ability to easily record and share gameplay. The flaw (CVE-2019-8566) stems from an API issue existed in the handling of microphone data and could allow a malicious application to secretly access the user’s microphone. “An API issue existed in the handling of microphone data,” according to Apple’s update. “This issue was addressed with improved validation,” it stated.
Meanwhile, 19 of the phone makers’ iOS vulnerabilities were discovered in the Webkit browser engine used by Safari, Mail, App Store and other apps on macOS, iOS and Linux.
These vulnerabilities included multiple memory corruption issues, which occurs when memory location contents are modified, exceeding the intention of the program constructs and potentially leading to malicious actions such as arbitrary code execution.
The iOS memory corruption issues (CVE-2019-6201, CVE-2019-8518, CVE-2019-8523, CVE-2019-8524, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-8562, CVE-2019-8536, CVE-2019-8544, CVE-2019-8535) could allow bad actors to process maliciously crafted web content. That could lead to arbitrary code execution on vulnerable devices or allow an adversary to circumvent sandbox restrictions.
Another vulnerability (CVE-2019-6222) — stemming from a “consistency issue” — could allow a website to access the microphone without the microphone use indicator being shown. This was addressed “with improved state handling,” according to Apple.
Apple also disclosed a logic issue (CVE-2019-8551) that could lead to attackers creating maliciously crafted web content which could lead to universal cross site scripting; a cross-origin issue in the fetch API of Webkit (CVE-2019-8515) which could disclose sensitive user information; and two use after free flaws (CVE-2019-7285 and CVE-2019-8556) that could allow arbitrary code execution.
Other Bad Bugs
Apple also fixed an array of vulnerabilities including a bug in GeoServices, the geo-location data services feature of iOS. The flaw (CVE-2019-8553), highlighted by Apple security expert Patrick Wardle, could lead to arbitrary code execution when a user clicks a malicious SMS link.
iOS 12.2 patches a ton of security bugs, including CVE-2019-8553: "Clicking a malicious SMS link may lead to arbitrary code execution" 👾💬😱
…brb, updating 📲 pic.twitter.com/fhqeb4BJb3
— patrick wardle (@patrickwardle) March 25, 2019
Apple also fixed two bugs (CVE-2019-8565, CVE-2019-8521) in its Feedback Assistant component (a built-in app to send feedback to Apple). The flaws could allow a malicious app to gain root privileges or overwrite arbitrary files.
Apple’s macOS Mojave 10.14.4, which updates its Mac operating system, also squashes some pesky bugs. Those include a previously disclosed Apple Keychain flaw – stemming from a use after free issue. The flaw (CVE-2019-8526) impacted macOS, and could allow an attacker to extract passwords from a targeted Mac’s keychain password management system. While the researcher who discovered the attack, Linus Henze, originally refused to disclose it, citing Apple’s lack of macOS bug bounty program, he eventually submitted the exploit and Apple issued a fix.
— Linus Henze (@LinusHenze) March 25, 2019
Also patched were a macOS buffer overflow issue in the operating system’s “Contacts” feature which could allow a malicious application to elevate privileges and view users’ contacts (CVE-2019-8511); as well as an access issue that could allow a bad actor to view users’ locked notes (CVE-2019-8537).