Apple Update Fixes WebKit Flaws in iOS, Safari

Apple’s security update included a slew of vulnerabilities in various components of iOS, macOS and Safari – the most severe of which could enable remote code execution.

Apple has released a slew of patches across its iOS and macOS operating systems, Safari browser, watchOS, tvOS and iTunes. The most serious flaw in this latest security update, released Tuesday, exists in the WebKit and could enable remote code execution.

Of the CVEs disclosed, 30 affected Apple’s iOS, 11 impacted Safari and 27 affected macOS. Users for their part are urged to update to iOS 13.4, Safari 13.1 and macOS Catalina 10.15.3. While Apple typically is initially tight lipped when it comes to vulnerability details in security updates, it did outline eight flaws that were fixed in Apple’s WebKit browser engine, which could enable anything from cross-site scripting (XSS) attacks to remote code execution in iOS and Safari.

The most severe of these vulnerabilities is a type confusion bug (CVE-2020-3897) in WebKit. Type confusion flaws are caused when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking. This specific flaw could be abused by a remote attacker – but user interaction is required to exploit the vulnerability in that the target must visit a malicious page or open a malicious file.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari,” Dustin Childs, manager with Zero Day Initiative, told Threatpost.  “The specific flaw exists within the object transition cache. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.”

The issue “was addressed with improved memory handling,” according to Apple.

Another type confusion issue (CVE-2020-3901) was found in WebKit, that could lead to arbitrary code execution. This flaw could be exploited if an attacker persuades a victim to process maliciously crafted web content, according to Apple.  Apple also addressed a memory corruption issue (CVE-2020-3895, CVE-2020-3900), and a memory consumption issue (CVE-2020-3899) that could could enable attackers to launch code execution attacks.

Finally, the tech giant also fixed an input validation bug in WebKit (CVE-2020-3902) that could allow attackers to launch a cross-site scripting attack. The attackers would need to first persuade victims to process maliciously crafted web content.

Affected are iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation; as well as macOS Mojave and macOS High Sierra, and included in macOS Catalina.

Other Flaws

Apple also disclosed two kernel vulnerabilities affecting iOS and macOS. The first was a memory initialization issue (CVE-2020-3914) that could allow an application to read restricted memory; the second was memory corruption issues (CVE-2020-9785) in the kernel potentially allowing a malicious application to execute arbitrary code with kernel privileges.

Other iOS vulnerabilities of note include a Bluetooth flaw (CVE-2020-97700), stemming from a logic issue, that could enable an attacker “in a privileged network position” intercept Bluetooth traffic; a use after free issue (CVE-2020-9768) in the iOS image processing tool that could allow an application to execute arbitrary code with system privileges; and, a logic issue (CVE-2020-3891) in the Messages app that could allow a person with physical access to a locked iOS device to respond to messages – even when replies are disabled.

Notable macOS flaws that were addressed include a logic issue in FaceTime (CVE-2020-3881) that could allow a local user to view sensitive user information; an information disclosure issue stemming from the Intel graphics driver (CVE-2019-14615) that could allow a malicious application to disclose restricted memory.

Finally, a logic issue was fixed in TCC, or the privacy protection system in macOS, (CVE-2020-3906) that could allow maliciously crafted applications to bypass code signing enforcement. According to Patrick Wardle, principal security researcher with Jamf, who discovered this flaw, the vulnerability means “a local unprivileged attacker or malware could generate synthetic clicks, allowing the majority of security and privacy prompts to be bypassed.”

“This bug could be abused as part of a multi-stage attack, stage 0 would be to infect the system, stage 1 would then be do things like access the user’s location, access the mic/webcam, modify system preferences, etc.,” he told Threatpost.

On a related note, Apple also this week said that it Safari browser now blocks third-party cookies, alongside some changes to Apple’s Intelligent Tracking Prevention (ITP) in iOS and iPadOS 13.4.Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles