Apple wasted little time snuffing out bugs in its macOS Catalina operating system. On Tuesday, Apple rolled out 16 patches addressing a wide range of Catalina bugs in components such as CoreAudio, IOGraphics and WebKit. The security fixes are exclusively for macOS 10.15; so pre-Catalina releases of macOS will have to wait for fixes.
While specifics are scant on each of the bugs addressed, Apple did share some details. Two bugs (CVE-2019-8781, CVE-2019-8717) impact the macOS kernel and would allow for arbitrary code-execution, it reported. Both are tied to memory-corruption issues. In one case, Apple said the flaw was addressed via improved state management, and in the other via improved memory handling.
Apple’s browser engine, WebKit, also received two fixes (CVE-2019-8769, CVE-2019-8768) for browser history issues. The first fix tackles a bug that gives an adversary access to a user’s browser history when lured to visit a maliciously crafted website. The second bug makes it impossible to delete browsing history items.
“‘Clear History and Website Data’ did not clear the history,” Apple wrote.
Meanwhile, a vulnerability (CVE-2019-8748) tied to the microprocessor AMD could allow an attacker to “execute arbitrary code with kernel privileges,” wrote Apple. Intel’s Graphic Driver also received a patch (CVE-2019-8758) that could allow an application to execute arbitrary code with system privileges.
Two additional bugs are tied to the Apache web server and PHP that comes preinstalled with Catalina. Tracked as CVE-2019-11041, this flaw is rated high-severity and according to the bug description, the patch is an update to existing issue effecting the PHP EXIF extension that could lead to information disclosure or crash. A related bug (CVE-2019-11042), also impacting the PHP EXIF extensions, could create conditions that may also lead to information disclosure or crash.
Windows Patches for iCloud and iTunes
Apple patches addressed vulnerabilities in its iCloud software for Windows 7.14 and 10.7.
As for the Windows 1.14 and 10.7 version of iCloud, Apple released eight patches impacting Apple’s UIFoundation and the WebKit browser engine. According to Apple, Foundation is tied to a framework that “provides a base layer of functionality for apps and frameworks, including data storage and persistence, text processing, date and time calculations, sorting and filtering, and networking.”
Tracked as CVE-2019-8745, the UIFoundation created conditions where “processing a maliciously crafted text file may lead to arbitrary code execution,” Apple wrote. The bug was found by Zero Day Initiative, who added that the bug “is an out-of-bounds read vulnerability that occurs when parsing the crafted doc file.”
Two of the WebKit bugs (CVE-2019-8625, CVE-2019-8719) were discovered by Google Project Zero researcher Sergei Glazunov. Apple and Google aren’t revealing much about the bug only that: “Processing maliciously crafted web content may lead to universal cross site scripting.”
Additionally, Apple notified customers that its iTunes for Windows (12.10.1) also received multiple patches also impacting UIFoundation and WebKit. Each of these bugs shared the same CVE tracking numbers as those with iCloud.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
